CVE-2022-27652

Опубликовано: 30 мар. 2022

Источник: redhat

CVSS3: 4.8

Описание

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

Отчет

This issue is related to the general vulnerability found in Moby (Docker Engine), which has been assigned CVE-2022-24769. After further investigation we came to the conclusion that this CVE has a very minimal impact on Red Hat OpenShift Container Platform.

Меры по смягчению последствий

The entry point of a container can be modified to use a utility like capsh(1) to drop inheritable capabilities prior to the primary process starting.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat OpenShift Container Platform 3.11	cri-o	Out of support scope
Red Hat OpenShift Container Platform 4.10	cri-o	Fixed	RHSA-2022:1600	02.05.2022
Red Hat OpenShift Container Platform 4.9	cri-o	Fixed	RHBA-2022:5433	05.07.2022

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-276

https://bugzilla.redhat.com/show_bug.cgi?id=2066839cri-o: Default inheritable capabilities for linux container should be empty

4.8 Medium

CVSS3

Связанные уязвимости

CVE-2022-27652

CVSS3: 5.3

ubuntu

почти 4 года назад

CVE-2022-27652

CVSS3: 5.3

nvd

почти 4 года назад

CVE-2022-27652

CVSS3: 5.3

debian

почти 4 года назад

A flaw was found in cri-o, where containers were incorrectly started w ...

GHSA-4hj2-r2pm-3hc6

CVSS3: 4.8

github

почти 4 года назад

Incorrect Default Permissions in CRI-O

4.8 Medium

CVSS3