Описание
A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.
A flaw was found in buildah, where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
Отчет
This issue is related to the general vulnerability found in Moby (Docker Engine), which has been assigned CVE-2022-24769. The impact for OpenShift Container Platform is set to LOW as Buildah was shipped but is not being used. No update is planned at this time.
Меры по смягчению последствий
The entry point of a container can be modified to use a utility like capsh(1) to drop inheritable capabilities prior to the primary process starting.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | buildah | Affected | ||
| Red Hat Enterprise Linux 8 | container-tools:4.0/buildah | Not affected | ||
| Red Hat Enterprise Linux 9 | buildah | Not affected | ||
| Red Hat OpenShift Container Platform 4 | buildah | Will not fix | ||
| Red Hat Enterprise Linux 8 | container-tools | Fixed | RHSA-2022:1565 | 26.04.2022 |
| Red Hat Enterprise Linux 8 | container-tools | Fixed | RHSA-2022:1566 | 26.04.2022 |
| Red Hat Enterprise Linux 8 | container-tools | Fixed | RHSA-2022:1762 | 10.05.2022 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | container-tools | Fixed | RHSA-2022:4651 | 18.05.2022 |
| Red Hat Enterprise Linux 8.4 Extended Update Support | container-tools | Fixed | RHSA-2022:1407 | 19.04.2022 |
| Red Hat Enterprise Linux 8.4 Extended Update Support | container-tools | Fixed | RHSA-2022:4816 | 31.05.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.8 Medium
CVSS3
Связанные уязвимости
A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.
A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.
A flaw was found in buildah where containers were incorrectly started ...
EPSS
4.8 Medium
CVSS3