[Bugs] [Bug 13308] New: [CVE 21] runc 1.0.2 CVEs found

[bugzilla]

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13308

          Platform: 2021.1
            Bug ID: 13308
           Summary: [CVE 21] runc 1.0.2  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2021-43784, CVE-2022-24769, CVE-2022-29162,
                    CVE-2023-25809, CVE-2023-27561, CVE-2023-28642,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package runc version 1.0.2

INFO (CVEs are): runc 1.0.2
 cves found
CVE-2021-43784
Desc: runc is a CLI tool for spawning and running containers on Linux according
to the OCI specification. In runc, netlink is used internally as a
serialization system for specifying the relevant container configuration to the
`C` portion of the code (responsible for the based namespace setup of
containers). In all versions of runc prior to 1.0.3, the encoder did not handle
the possibility of an integer overflow in the 16-bit length field for the byte
array attribute type, meaning that a large enough malicious byte array
attribute could result in the length overflowing and the attribute contents
being parsed as netlink messages for container configuration. This
vulnerability requires the attacker to have some control over the configuration
of the container and would allow the attacker to bypass the namespace
restrictions of the container by simply adding their own netlink payload which
disables all namespaces. The main users impacted are those who allow untrusted
images with untrusted configurations to run on their machines (such as with
shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug.
As a workaround, one may try disallowing untrusted namespace paths from your
container. It should be noted that untrusted namespace paths would allow the
attacker to disable namespace protections entirely even in the absence of this
bug.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-43784
Severity: MEDIUM
CVE-2022-24769
Desc: Moby is an open-source project created by Docker to enable and accelerate
software containerization. A bug was found in Moby (Docker Engine) prior to
version 20.10.14 where containers were incorrectly started with non-empty
inheritable Linux process capabilities, creating an atypical Linux environment
and enabling programs with inheritable file capabilities to elevate those
capabilities to the permitted set during `execve(2)`. Normally, when executable
programs have specified permitted file capabilities, otherwise unprivileged
users and processes can execute those programs and gain the specified file
capabilities up to the bounding set. Due to this bug, containers which included
executable programs with inheritable file capabilities allowed otherwise
unprivileged users and processes to additionally gain these inheritable file
capabilities up to the container's bounding set. Containers which use Linux
users and groups to perform privilege separation inside the container are most
directly impacted. This bug did not affect the container security sandbox as
the inheritable set never contained more capabilities than were included in the
container's bounding set. This bug has been fixed in Moby (Docker Engine)
20.10.14. Running containers should be stopped, deleted, and recreated for the
inheritable capabilities to be reset. This fix changes Moby (Docker Engine)
behavior such that containers are started with a more typical Linux
environment. As a workaround, the entry point of a container can be modified to
use a utility like `capsh(1)` to drop inheritable capabilities prior to the
primary process starting.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-24769
Severity: MEDIUM
CVE-2022-29162
Desc: runc is a CLI tool for spawning and running containers on Linux according
to the OCI specification. A bug was found in runc prior to version 1.1.2 where
`runc exec --cap` created processes with non-empty inheritable Linux process
capabilities, creating an atypical Linux environment and enabling programs with
inheritable file capabilities to elevate those capabilities to the permitted
set during execve(2). This bug did not affect the container security sandbox as
the inheritable set never contained more capabilities than were included in the
container's bounding set. This bug has been fixed in runc 1.1.2. This fix
changes `runc exec --cap` behavior such that the additional capabilities
granted to the process being executed (as specified via `--cap` arguments) do
not include inheritable capabilities. In addition, `runc spec` is changed to
not set any inheritable capabilities in the created example OCI spec
(`config.json`) file.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-29162
Severity: HIGH
CVE-2023-25809
Desc: runc is a CLI tool for spawning and running containers according to the
OCI specification. In affected versions it was found that rootless runc makes
`/sys/fs/cgroup` writable in following conditons: 1. when runc is executed
inside the user namespace, and the `config.json` does not specify the cgroup
namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`,
with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the
user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec
--rootless`; this condition is very rare). A container may gain the write
access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the
host . Other users's cgroup hierarchies are not affected. Users are advised to
upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup
namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the
default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add
`/sys/fs/cgroup` to `maskedPaths`.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-25809
Severity: MEDIUM
CVE-2023-27561
Desc: runc through 1.1.4 has Incorrect Access Control leading to Escalation of
Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an
attacker must be able to spawn two containers with custom volume-mount
configurations, and be able to run custom images. NOTE: this issue exists
because of a CVE-2019-19921 regression.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-27561
Severity: HIGH
CVE-2023-28642
Desc: runc is a CLI tool for spawning and running containers according to the
OCI specification. It was found that AppArmor can be bypassed when `/proc`
inside the container is symlinked with a specific mount configuration. This
issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`.
See PR #3785 for details. users are advised to upgrade. Users unable to upgrade
should avoid using an untrusted container image.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-28642
Severity: HIGH

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230503/b7aacde6/attachment.html>