openshift/apiserver-library-go: Bypass of SCC seccomp profile restrictions

A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context...

container-tools:rhel8 bug fix and enhancement update

An update is available for module.cockpit-podman, module.fuse-overlayfs, conmon, module.conmon, libslirp, podman, module.udica, module.container-selinux, buildah, crun, module.runc, slirp4netns, oci-seccomp-bpf-hook, module.python-podman, module.buildah, fuse-overlayfs, module.criu,...

container-tools:4.0 bug fix update

An update is available for module.cockpit-podman, module.fuse-overlayfs, conmon, module.conmon, libslirp, podman, module.udica, module.container-selinux, buildah, crun, module.runc, slirp4netns, oci-seccomp-bpf-hook, module.python-podman, module.buildah, fuse-overlayfs, module.criu,...

GO-2023-1549 Improper input validation in github.com/openshift/apiserver-library-go

Low-privileged users can set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context Constraint SCC is "runtime/default," allowing users to disable seccomp for pods they can create and modify...

SUSE CVE-2009-0835

The securecomputing function in kernel/seccomp.c in the seccomp subsystem in the Linux kernel 2.6.28.7 and earlier on the x8664 platform, when CONFIGSECCOMP is enabled, does not properly handle 1 a 32-bit process making a 64-bit syscall or 2 a 64-bit process making a 32-bit syscall, which allows...

SUSE CVE-2014-1733

The PointerCompare function in codegen.cc in Seccomp-BPF, as used in Google Chrome before 34.0.1847.131 on Windows and OS X and before 34.0.1847.132 on Linux, does not properly merge blocks, which might allow remote attackers to bypass intended sandbox restrictions by leveraging renderer access...

SUSE CVE-2014-4157

arch/mips/include/asm/threadinfo.h in the Linux kernel before 3.14.8 on the MIPS platform does not configure TIFSECCOMP checks on the fast system-call path, which allows local users to bypass intended PRSETSECCOMP restrictions by executing a crafted application without invoking a trace or audit...

SUSE CVE-2015-2830

arch/x86/kernel/entry64.S in the Linux kernel before 3.19.2 does not prevent the TSCOMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the 1 fork or 2 close system call, as demonstrated b...

SUSE CVE-2017-5206

Firejail before 0.9.44.4, when running on a Linux kernel before 4.8, allows context-dependent attackers to bypass a seccomp-based sandbox protection mechanism via the --allow-debuggers argument...

SUSE CVE-2017-5426

On Linux, if the secure computing mode BPF seccomp-bpf filter is running when the Gecko Media Plugin sandbox is started, the sandbox fails to be applied and items that would run within the sandbox are run protected only by the running filter which is typically weak compared to the sandbox. Note:...

SUSE CVE-2018-15746

qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service guest crash by leveraging mishandling of the seccomp policy for threads other than the main thread...

SUSE CVE-2019-2054

In the seccomp implementation prior to kernel version 4.8, there is a possible seccomp bypass due to seccomp policies that allow the use of ptrace. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...

SUSE CVE-2019-7303

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert characters into a terminal on a 64-bit host. The seccomp rules were generated to match 64-bit ioctl2 commands on a 64-bit platform; however, the Linux kernel only uses the lower 32...

SUSE CVE-2019-10063

Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. Flatpak versions since 0.8.1 address CVE-2017-5226 by using a seccomp filter to prevent sandboxed apps from using the TIOCSTI ioctl, which could otherwise be used to inject commands into the...

SUSE CVE-2019-12589

In Firejail before 0.9.60, seccomp filters are writable inside the jail, leading to a lack of intended seccomp restrictions for a process that is joined to the jail after a filter has been modified by an attacker...

SUSE CVE-2022-30594

The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACESEIZE code path allows attackers to bypass intended restrictions on setting the PTSUSPENDSECCOMP flag...

Exploit for Externally Controlled Reference to a Resource in Another Sphere in Linux Linux_Kernel

Bypassing Spectre-BTI User Space Mitigations on Linux Th...

github.com/openshift/apiserver-library-go Improper Input Validation vulnerability

A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context...

CVE-2023-0229

A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context...

CVE-2023-0229

A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context...