Headline
CVE-2022-27651: do not set the inheritable capabilities · containers/buildah@e7e55c9
A flaw was found in buildah where containers were incorrectly started with non-empty default permissions. A bug was found in Moby (Docker Engine) where containers were incorrectly started with non-empty inheritable Linux process capabilities, enabling an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. This has the potential to impact confidentiality and integrity.
@@ -1964,9 +1964,6 @@ func setupCapAdd(g *generate.Generator, caps …string) error {
if err := g.AddProcessCapabilityEffective(cap); err != nil {
return errors.Wrapf(err, "error adding %q to the effective capability set", cap)
}
if err := g.AddProcessCapabilityInheritable(cap); err != nil {
return errors.Wrapf(err, "error adding %q to the inheritable capability set", cap)
}
if err := g.AddProcessCapabilityPermitted(cap); err != nil {
return errors.Wrapf(err, "error adding %q to the permitted capability set", cap)
}
@@ -1985,9 +1982,6 @@ func setupCapDrop(g *generate.Generator, caps …string) error {
if err := g.DropProcessCapabilityEffective(cap); err != nil {
return errors.Wrapf(err, "error removing %q from the effective capability set", cap)
}
if err := g.DropProcessCapabilityInheritable(cap); err != nil {
return errors.Wrapf(err, "error removing %q from the inheritable capability set", cap)
}
if err := g.DropProcessCapabilityPermitted(cap); err != nil {
return errors.Wrapf(err, "error removing %q from the permitted capability set", cap)
}
Related news
Red Hat Security Advisory 2022-4816-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include a privilege escalation vulnerability.
An update for the container-tools:3.0 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1227: psgo: Privilege escalation in 'podman top' * CVE-2022-27649: podman: Default inheritable capabilities for linux container should be empty * CVE-2022-27651: buildah: Default inheritable capabilities for linux container should be empty
Red Hat Security Advisory 2022-4651-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc. Issues addressed include a privilege escalation vulnerability.
An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.2 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1227: psgo: Privilege escalation in 'podman top' * CVE-2022-27649: podman: Default inheritable capabilities for linux container should be empty * CVE-2022-27651: buildah: Default inheritable capabilities for linux container should be empty
An update for the container-tools:rhel8 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-1227: psgo: Privilege escalation in 'podman top' * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter * CVE-2022-27649: podman: Default inheritable capabilities for linux container should be empty * CVE-2022-27650: crun: Default inheritable capabilities for linux container should be empty...