Описание
Security update for containerd, docker, runc
This update for containerd, docker, runc fixes the following issues:
-
Docker was updated to 20.10.6-ce
- Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476).
- CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
- CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730).
-
runc was updated to v1.0.0~rc93 (bsc#1182451 and bsc#1184962).
- Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
- Fixed /dev/null is not available (bsc#1168481).
- Fixed an issue where podman hangs when spawned by salt-minion process (bsc#1149954).
- CVE-2019-19921: Fixed a race condition with shared mounts (bsc#1160452).
- CVE-2019-16884: Fixed an LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308).
- CVE-2019-5736: Fixed potential write attacks to the host runc binary (bsc#1121967).
- Fixed an issue where after a kernel-update docker doesn't run (bsc#1131314 bsc#1131553)
- Ensure that we always include the version information in runc (bsc#1053532).
-
Switch to Go 1.13 for build.
- CVE-2018-16873: Fixed a potential remote code execution (bsc#1118897).
- CVE-2018-16874: Fixed a directory traversal in 'go get' via curly braces in import paths (bsc#1118898).
- CVE-2018-16875: Fixed a CPU denial of service (bsc#1118899).
- Fixed an issue with building containers (bsc#1095817).
-
containerd was updated to v1.4.4
- CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
- Handle a requirement from docker (bsc#1181594).
- Install the containerd-shim* binaries and stop creating (bsc#1183024).
- update version to the one required by docker (bsc#1034053)
-
Use -buildmode=pie for tests and binary build (bsc#1048046, bsc#1051429)
-
Cleanup seccomp builds similar (bsc#1028638).
-
Update to handle the docker-runc removal, and drop the -kubic flavour (bsc#1181677, bsc#1181749)
Список пакетов
Image SLES12-SP5-Azure-Basic-On-Demand
Image SLES12-SP5-Azure-Standard-On-Demand
Image SLES12-SP5-EC2-ECS-On-Demand
Image SLES12-SP5-EC2-On-Demand
Image SLES12-SP5-GCE-On-Demand
SUSE Linux Enterprise Module for Containers 12
Ссылки
- Link for SUSE-SU-2021:1458-1
- E-Mail link for SUSE-SU-2021:1458-1
- SUSE Security Ratings
- SUSE Bug 1028638
- SUSE Bug 1034053
- SUSE Bug 1048046
- SUSE Bug 1051429
- SUSE Bug 1053532
- SUSE Bug 1095817
- SUSE Bug 1118897
- SUSE Bug 1118898
- SUSE Bug 1118899
- SUSE Bug 1121967
- SUSE Bug 1131314
- SUSE Bug 1131553
- SUSE Bug 1149954
- SUSE Bug 1152308
- SUSE Bug 1160452
- SUSE Bug 1168481
- SUSE Bug 1175081
Описание
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u".
Затронутые продукты
Ссылки
- CVE-2018-16873
- SUSE Bug 1118897
- SUSE Bug 1118898
- SUSE Bug 1118899
Описание
In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.
Затронутые продукты
Ссылки
- CVE-2018-16874
- SUSE Bug 1118897
- SUSE Bug 1118898
- SUSE Bug 1118899
Описание
The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.
Затронутые продукты
Ссылки
- CVE-2018-16875
- SUSE Bug 1118897
- SUSE Bug 1118898
- SUSE Bug 1118899
Описание
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.
Затронутые продукты
Ссылки
- CVE-2019-16884
- SUSE Bug 1152308
Описание
runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)
Затронутые продукты
Ссылки
- CVE-2019-19921
- SUSE Bug 1160452
- SUSE Bug 1208962
Описание
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Затронутые продукты
Ссылки
- CVE-2019-5736
- SUSE Bug 1121967
- SUSE Bug 1122185
- SUSE Bug 1173421
- SUSE Bug 1218894
Описание
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.
Затронутые продукты
Ссылки
- CVE-2021-21284
- SUSE Bug 1181732
Описание
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.
Затронутые продукты
Ссылки
- CVE-2021-21285
- SUSE Bug 1181730
Описание
In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.
Затронутые продукты
Ссылки
- CVE-2021-21334
- SUSE Bug 1183397