CVE-2023-25809 affecting package moby-runc 1.1.2+azure-4

CVE-2023-25809 affecting package moby-runc 1.1.2+azure-4. An upgraded version of the package is available that resolves this issue...

CVE-2023-28642 affecting package moby-runc 1.1.2+azure-4

CVE-2023-28642 affecting package moby-runc 1.1.2+azure-4. An upgraded version of the package is available that resolves this issue...

CVE-2023-27561 affecting package moby-runc 1.1.2+azure-4

CVE-2023-27561 affecting package moby-runc 1.1.2+azure-4. An upgraded version of the package is available that resolves this issue...

Security fix for the ALT Linux 10 package runc version 1.1.5-alt1

1.1.5-alt1 built April 20, 2023 Alexander Danilov in task 318394 April 4, 2023 Vladimir Didenko - New version Fixes: CVE-2023-25809, CVE-2023-27561, CVE-2023-28642...

OESA-2023-1218 runc security update

runc is a CLI tool for spawning and running containers according to the OCI specification. Security Fixes: runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when /proc inside the container is symlinked with a...

EulerOS 2.0 SP8 : docker-engine (EulerOS-SA-2023-1617)

According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfslinux.go. To exploi...

EulerOS 2.0 SP8 : docker-engine (EulerOS-SA-2023-1618)

According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be...

NewStart CGSL CORE 5.05 / MAIN 5.05 : docker-ce Multiple Vulnerabilities (NS-SA-2023-0014)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has docker-ce packages installed that are affected by multiple vulnerabilities: - Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby Docker Engine where attempting to...

Mageia: Security Advisory (MGASA-2023-0125)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

MGASA-2023-0125 Updated opencontainers-runc packages fix security vulnerability

/sys/fs/cgroup is writable when cgroupns isn't unshared CVE-2023-25809 Regression that reintroduced CVE-2019-19921 - Incorrect Access Control leading to Escalation of Privileges CVE-2023-27561 AppArmor/SELinux bypass with symlinked /proc CVE-2023-28642...

Updated opencontainers-runc packages fix security vulnerability

/sys/fs/cgroup is writable when cgroupns isn't unshared CVE-2023-25809 Regression that reintroduced CVE-2019-19921 - Incorrect Access Control leading to Escalation of Privileges CVE-2023-27561 AppArmor/SELinux bypass with symlinked /proc CVE-2023-28642...

Symlink Bypass

github.com/opencontainers/runc is vulnerable to Symlink Attack. The vulnerability exists because the proc and sysfs attributes do not properly check whether the destination is a symlink or not, which allows an attacker to bypass the AppArmor or SELinux when /proc inside the container is symlinked...

Improper Access Control

github.com/opencontainers/runc is vulnerable to Improper Access Control. The vulnerability exists because the rootless runc makes /sys/fs/cgroup writable when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared e.g..,...

SUSE SLES12 Security Update : runc (SUSE-SU-2023:1726-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:1726-1 advisory. - runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that...

SUSE-SU-2023:1726-1 Security update for runc

This update for runc fixes the following issues: Update to runc v1.1.5: Security fixes: - CVE-2023-25809: Fixed rootless /sys/fs/cgroup is writable when cgroupns isn't unshared bnc1209884. - CVE-2023-27561: Fixed regression that reintroduced CVE-2019-19921 vulnerability bnc1208962. -...

AppArmor bypass with symlinked /proc in runc

...

GHSA-G2J6-57V7-GM8C runc AppArmor bypass with symlinked /proc

Impact It was found that AppArmor, and potentially SELinux, can be bypassed when /proc inside the container is symlinked with a specific mount configuration. Patches Fixed in runc v1.1.5, by prohibiting symlinked /proc: https://github.com/opencontainers/runc/pull/3785 This PR fixes CVE-2023-27561...

GHSA-M8CG-XC2P-R3FC rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc

Impact It was found that rootless runc makes /sys/fs/cgroup writable in following conditons: 1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared e.g.., docker|podman|nerdctl run --cgroupns=host, with Rootless...

CVE-2023-28642

A flaw was found in runc. This vulnerability could allow a remote attacker to bypass security restrictions and create a symbolic link inside a container to the /proc directory, bypassing AppArmor and SELinux protections. Mitigation Avoid using an untrusted container image...

CVE-2023-25809

A flaw was found in runc, where it is vulnerable to a denial of service caused by improper access control in the /sys/fs/cgroup endpoint. This flaw allows a local authenticated attacker to cause a denial of service. Mitigation Condition 1: Unshare the cgroup namespace docker|podman|nerdctl run...