Описание
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically /var/lib/docker) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.
A file permissions vulnerability was found in the Moby (Docker Engine). The Moby data directory (usually /var/lib/docker) contains subdirectories with insufficiently restricted permissions, allowing unprivileged Linux users to traverse directory contents and execute programs. When the running container contains executable programs with the extended permission bits (like setuid), unprivileged Linux users can discover and execute those programs. Additionally, when the UID of an unprivileged Linux user on the host collides with the file owner or group inside a container, the unprivileged Linux user on the host can discover, read, and modify those files. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Отчет
In the OpenShift Container Platform (OCP), the Migration Toolkit for Virtualization (MTV) and the Red Hat Advanced Cluster Management for Kubernetes (RHACM) some components bundle github.com/moby/moby. However, successful exploitation requires direct access to the cluster hosts, which is not allowed by default and is available only to the cluster administrators, so the impact of this vulnerability to these components is Low. Starting in OCP 4.7 the github.com/moby/moby is not shipped anymore in the openshift4-wincw/windows-machine-config-rhel8-operator component (Red Hat OpenShift Container Platform for Windows Containers version 2) , hence this component is marked as Will not fix.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-controller-rhel9 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/agent-service-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/assisted-installer-agent-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/assisted-installer-reporter-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/assisted-installer-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicluster-operators-subscription-release-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/multicluster-operators-subscription-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm-assisted-service-container | Affected | ||
| Red Hat Advanced Cluster Security 3 | advanced-cluster-security/rhacs-rhel8-operator | Not affected |
Показывать по
Дополнительная информация
Статус:
6.3 Medium
CVSS3
Связанные уязвимости
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to hos...
Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host v
Moby is an open-source project created by Docker to enable software co ...
Moby (Docker Engine) Insufficiently restricted permissions on data directory
Уязвимость средства автоматизации развёртывания и управления приложениями в средах с поддержкой контейнеризации Docker, связанная с неправильным сохранением разрешений, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
6.3 Medium
CVSS3