runc-1.1.9-1.el9
エラータID: AXSA:2023-6674:03
以下項目について対処しました。
[Security Fix]
- runc には、整数オーバーフローが発生する問題があるため、
コンテナの設定を一部制御可能な攻撃者により、すべての名前
空間を無効化する netlink ペイロードの追加を介して、名前空間
の制約の迂回を可能とする脆弱性が存在します。
(CVE-2021-43784)
- Go には、TLS ハンドシェイクレコードが大きい場合に応答を
構築しようとするとサーバーとクライアントでそれぞれパニック
を引き起こす問題があるため、リモートの攻撃者により、大きな
TLS ハンドシェイクレコードの送信を介して、サービス拒否
(システムクラッシュ) 状態を引き起こすことを可能とする脆弱性
が存在します。(CVE-2022-41724)
- runc には、ローカルの攻撃者により、特定の条件下において
コンテナを実行した利用者が所有する /sys/fs/cgroup/user.slice
ディレクトリ配下への書き込みを可能とする脆弱性が存在します。
(CVE-2023-25809)
- runc には、競合状態によりアクセス制御が正しく機能しない
問題があるため、2 つのコンテナイメージの制御が可能な
ローカルの攻撃者により、権限の昇格を可能とする脆弱性が
存在します。(CVE-2023-27561)
- runc には、ローカルの攻撃者により、コンテナ内の /proc
ディレクトリが特定の構成でシンボリックリンクされている
信頼できないコンテナイメージを介して、AppArmor による
セキュリティ保護の迂回を可能とする脆弱性が存在します。
(CVE-2023-28642)
パッケージをアップデートしてください。
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.
Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS handshake records which cause servers and clients, respectively, to panic when attempting to construct responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client certificates (by setting Config.ClientAuth >= RequestClientCert).
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.
N/A
SRPMS
- runc-1.1.9-1.el9.src.rpm
MD5: 8426bdc9853bdced5a50c88643602946
SHA-256: ee2404064fa2218d6f03eb8b942247279e94e522c080de0a901c91c90f686b05
Size: 2.36 MB
Asianux Server 9 for x86_64
- runc-1.1.9-1.el9.x86_64.rpm
MD5: f0d8628fbb88292aa4ed66e5a404e4eb
SHA-256: b3d2ad7fef4869c308531b0d6d5f37aa275057bd01a6f3f127bdb6fddbc1eb13
Size: 3.07 MB