Описание
libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument.
Отчет
This issue may affect OpenShift Container Platform 3.x and 4.x if you are providing a custom Seccomp profile using Security Context Constraints [1]. The custom Seccomp profile would need to specify multiple arguments, such as below, from [2]. { "names": [ "socketcall" ], "action": "SCMP_ACT_ALLOW", "args": [ { "index": 0, "value": 1, "valueTwo": 0, "op": "SCMP_CMP_EQ" }, { "index": 1, "value": 1, "valueTwo": 0, "op": "SCMP_CMP_EQ" } ], "comment": "", "includes": {}, "excludes": {} }, If such a profile was used the arguments could be combined as an OR rule, not AND, as the user might expect from Seccomp. [1] https://docs.openshift.com/container-platform/4.1/authentication/managing-security-context-constraints.html [2] https://github.com/moby/moby/issues/32714#issuecomment-295532163
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.10 | atomic-openshift | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift-enterprise-node-container | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Fixed | RHSA-2020:2479 | 18.06.2020 |
| Red Hat OpenShift Container Platform 4.1 | openshift | Fixed | RHSA-2019:4087 | 17.12.2019 |
| Red Hat OpenShift Container Platform 4.1 | openshift4/ose-cli | Fixed | RHSA-2019:4090 | 17.12.2019 |
| Red Hat OpenShift Container Platform 4.1 | openshift4/ose-cli-artifacts | Fixed | RHSA-2019:4090 | 17.12.2019 |
| Red Hat OpenShift Container Platform 4.1 | openshift4/ose-hyperkube | Fixed | RHSA-2019:4090 | 17.12.2019 |
| Red Hat OpenShift Container Platform 4.1 | openshift4/ose-hypershift | Fixed | RHSA-2019:4090 | 17.12.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.5 Medium
CVSS3
Связанные уязвимости
libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument.
libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument.
libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR ...
Уязвимость программного обеспечения libseccomp-golang, связанная с недостатком механизма проверки вводимых данных, позволяющая нарушителю оказать воздействие на целостность данных
EPSS
6.5 Medium
CVSS3