cri-o: infra container reparented to systemd following OOM Killer killing it's conmon

A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management conmon processes being killed if a workload process triggers an out-of-memory OOM condition for the cgroup. An attacker could abuse this flaw to get...

containers/image: Container images read entire image manifest into memory

A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform. An attacker can use this flaw to trick a user, with privileges to pull container images, into crashi...

containers/image: Container images read entire image manifest into memory

A malicious container image can consume an unbounded amount of memory when being pulled to a container runtime host, such as Red Hat Enterprise Linux using podman, or OpenShift Container Platform. An attacker can use this flaw to trick a user, with privileges to pull container images, into crashi...

Moderate: Red Hat Bug Fix Advisory: runc bug fix update

Updated runc package that fixes several bugs is now available for Red Hat Enterprise Linux 7 Extras. The runc tool is a lightweight, portable implementation of the Open Container Format OCF that provides container runtime. Users of runc are advised to upgrade to this updated package, which fixes...

runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation

A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization, by adding a symlink to the rootfs that points to a directory on the volume. The highest threat from this vulnerability is to data...

Exploit for OS Command Injection in Docker

CVE-2019-5736-Custom-Sandbox General CVE-2019-5736 implem...

PT-2020-9605 · Red Hat · Openshift Container Platform

Name of the Vulnerable Software and Affected Versions: OpenShift Container Platform versions 3.x Description: A flaw was discovered in the upgrade process of OpenShift Container Platform, specifically when using CRI-O. The issue allows an unprivileged user to escalate their privileges to those...

runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfslinux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory...

Centos 7 : runc

An update for runc is now available for CentOS 7 Extras. The runC tool is a lightweight, portable implementation of the Open Container Format OCF that provides container runtime. A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could...

USN-4048-1: Docker vulnerabilities

Aleksa Sarai discovered that Docker was vulnerable to a directory traversal attack. An attacker could use this vulnerability to read and write arbitrary files on the host filesystem as root...

CVE-2019-0204

A flaw was found in Docker image running under root user, where it is possible to overwrite the init helper binary of the container runtime or the command executor in Apache Mesos. A malicious user could use this flaw to gain root-level code execution on the host...

Design/Logic Flaw

Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. A malicious user with access to the k8s nodes can obtain IAAS credentials allowing the user to escalate privileges to gain access to the IAAS account...

Design/Logic Flaw

Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA Certificate Authority to sign and trust certs for ETCD as used by the Kubernetes API. This could allow a user authenticated with a cluster to request a signed certificate leveraging the...

CVE-2019-3780

Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. A malicious user with access to the k8s nodes can obtain IAAS credentials allowing the user to escalate privileges to gain access to the IAAS account...

CVE-2019-3779

Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA Certificate Authority to sign and trust certs for ETCD as used by the Kubernetes API. This could allow a user authenticated with a cluster to request a signed certificate leveraging the...

CVE-2019-3780

Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. A malicious user with access to the k8s nodes can obtain IAAS credentials allowing the user to escalate privileges to gain access to the IAAS account...

CVE-2019-3779

Cloud Foundry Container Runtime, versions prior to 0.29.0, deploys Kubernetes clusters utilize the same CA Certificate Authority to sign and trust certs for ETCD as used by the Kubernetes API. This could allow a user authenticated with a cluster to request a signed certificate leveraging the...

CVE-2019-3780 Cloud Foundry Container Runtime Leaks IAAS Credentials

Cloud Foundry Container Runtime, versions prior to 0.28.0, deploys K8s worker nodes that contains a configuration file with IAAS credentials. A malicious user with access to the k8s nodes can obtain IAAS credentials allowing the user to escalate privileges to gain access to the IAAS account...

CVE-2019-3780

CVE-2019-3780 affects Cloud Foundry Container Runtime (CFCR) prior to v0.28.0. The vulnerability arises because worker nodes deployed by CFCR contain a configuration file with IAAS credentials, enabling a user with node access to obtain those credentials and escalate privileges within the IAAS ac...

CVE-2019-3779

CVE-2019-3779 affects Cloud Foundry Container Runtime (CFCR) prior to v0.29.0. The vulnerability arises because CFCR clusters use the same Certificate Authority to sign and trust certificates for ETCD as for the Kubernetes API. An authenticated user within a cluster could exploit the Kubernetes C...