Linux maintainers disclosed a broadly available Linux kernel vulnerability (CVE-2022-0185) which enables attackers to escape containers and get full control over the node. In order to be able to exploit this vulnerability, the attacker needs to be able to run code on in the container and the container must have CAP_SYS_ADMIN privileges. Linux kernel and all major distro maintainers have released patches. This control alerts on vulnerable kernel versions of Kubernetes nodes.
Checking Linux kernel version of the Node objects, if it is above 5.1 or below 5.16.2 it fires an alert
Patch Linux kernel version to 5.16.2 or above
Updated about 2 months ago