CVE-2022-24769

Summary

CVE	CVE-2022-24769
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-03-24 20:15:00 UTC
Updated	2024-01-31 13:15:00 UTC
Description	Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.

Risk And Classification

Problem Types: CWE-732

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	11.0	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Operating System	Linux	Linux Kernel	-	All	All	All
Application	Linuxfoundation	Runc	All	All	All	All
Application	Mobyproject	Moby	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 34 Update: moby-engine-20.10.14-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 34 Update: containerd-1.6.2-2.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Release v20.10.14 · moby/moby · GitHub	MISC	github.com
oss-security - CVE-2022-29162: runc < 1.1.2 incorrect handling of inheritable capabilities in default configuration	MLIST	www.openwall.com
[SECURITY] Fedora 35 Update: containerd-1.6.2-1.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 35 Update: moby-engine-20.10.14-1.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Merge pull request from GHSA-2mm7-x5h6-5pvq · moby/moby@2bbc786 · GitHub	MISC	github.com
Debian -- Security Information -- DSA-5162-1 containerd	DEBIAN	www.debian.org
[SECURITY] Fedora 35 Update: moby-engine-20.10.14-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 36 Update: moby-engine-20.10.14-1.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 35 Update: containerd-1.6.2-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 34 Update: moby-engine-20.10.14-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 34 Update: containerd-1.6.2-2.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
containerd: Multiple Vulnerabilities (GLSA 202401-31) — Gentoo security		security.gentoo.org
[SECURITY] Fedora 36 Update: containerd-1.6.2-1.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 36 Update: moby-engine-20.10.14-1.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 36 Update: containerd-1.6.2-1.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Default inheritable capabilities for linux container should be empty · Advisory · moby/moby · GitHub	CONFIRM	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

179373 Debian Security Update for containerd (DSA 5162-1)
184912 Debian Security Update for containerd (CVE-2022-24769)
199074 Ubuntu Security Notification for containerd Vulnerabilities (USN-5776-1)
282573 Fedora Security Update for containerd (FEDORA-2022-ed53f2439a)
282574 Fedora Security Update for containerd (FEDORA-2022-e9a09c1a7d)
282619 Fedora Security Update for moby (FEDORA-2022-cac2323802)
282620 Fedora Security Update for moby (FEDORA-2022-c07546070d)
353271 Amazon Linux Security Advisory for containerd : ALAS2-2022-1775
353276 Amazon Linux Security Advisory for containerd, docker : ALAS-2022-1582
353279 Amazon Linux Security Advisory for docker, containerd : ALAS2DOCKER-2022-018
353963 Amazon Linux Security Advisory for containerd, docker : ALAS2NITRO-ENCLAVES-2022-019
354347 Amazon Linux Security Advisory for docker : ALAS2022-2022-237
354471 Amazon Linux Security Advisory for containerd, docker : ALAS2022-2022-054
354590 Amazon Linux Security Advisory for docker : ALAS-2022-237
354710 Amazon Linux Security Advisory for containerd : ALAS2022-2022-210
355261 Amazon Linux Security Advisory for containerd : ALAS2023-2023-079
356873 Amazon Linux Security Advisory for containerd : ALAS2ECS-2023-023
502049 Alpine Linux Security Update for containerd
502052 Alpine Linux Security Update for docker
502259 Alpine Linux Security Update for containerd
504647 Alpine Linux Security Update for containerd
504674 Alpine Linux Security Update for docker
6140143 AWS Bottlerocket Security Update for containerd (GHSA-88cv-59gc-h9cf)
6140291 AWS Bottlerocket Security Update for docker (GHSA-v8gj-vjvw-q83c)
671845 EulerOS Security Update for docker-engine (EulerOS-SA-2022-1886)
671881 EulerOS Security Update for docker-engine (EulerOS-SA-2022-1926)
671906 EulerOS Security Update for docker-engine (EulerOS-SA-2022-1963)
671938 EulerOS Security Update for docker-engine (EulerOS-SA-2022-1993)
671982 EulerOS Security Update for docker-engine (EulerOS-SA-2022-2154)
672005 EulerOS Security Update for docker-engine (EulerOS-SA-2022-2129)
710846 Gentoo Linux containerd Multiple Vulnerabilities (GLSA 202401-31)
752133 SUSE Enterprise Linux Security Update for containerd, docker (SUSE-SU-2022:1689-1)
901363 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-runc (9700)
901492 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-runc (9698)
902279 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-runc (9698-1)
902504 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-runc (9700-1)