Описание
The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."
A flaw was found in the way the Linux kernel's file system implementation handled rename operations in which the source was inside and the destination was outside of a bind mount. A privileged user inside a container could use this flaw to escape the bind mount and, potentially, escalate their privileges on the system.
Отчет
This issue does not affect the version of the kernel package as shipped with Red Hat Enterprise Linux 5. This issue affects the versions of Linux kernel as shipped with Red Hat Enterprise Linux 6 and 7 and Red Hat Enterprise MRG 2. Future kernel updates for the respective releases may address this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | kernel | Not affected | ||
| Red Hat Enterprise Linux 6 | kernel | Fixed | RHSA-2015:2636 | 15.12.2015 |
| Red Hat Enterprise Linux 7 | kernel-rt | Fixed | RHSA-2015:2411 | 19.11.2015 |
| Red Hat Enterprise Linux 7 | kernel | Fixed | RHSA-2015:2152 | 19.11.2015 |
| Red Hat Enterprise Linux 7.1 Extended Update Support | kernel | Fixed | RHSA-2015:2587 | 09.12.2015 |
| Red Hat Enterprise MRG 2 | kernel-rt | Fixed | RHSA-2016:0068 | 26.01.2016 |
Показывать по
Дополнительная информация
Статус:
EPSS
6 Medium
CVSS2
Связанные уязвимости
The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."
The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."
The prepend_path function in fs/dcache.c in the Linux kernel before 4. ...
The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack."
ELSA-2016-3501: Unbreakable Enterprise kernel security update (IMPORTANT)
EPSS
6 Medium
CVSS2