CVE-2022-29162
Summary
| CVE | CVE-2022-29162 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2022-05-17 21:15:00 UTC |
|---|
| Updated | 2023-11-07 03:45:00 UTC |
|---|
| Description | runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| [SECURITY] Fedora 34 Update: golang-github-opencontainers-runc-1.1.2-1.fc34 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
|
| [SECURITY] Fedora 34 Update: golang-github-opencontainers-runc-1.1.2-1.fc34 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| Default inheritable capabilities for linux container should be empty · Advisory · opencontainers/runc · GitHub |
CONFIRM |
github.com |
|
| [SECURITY] Fedora 35 Update: golang-github-opencontainers-runc-1.1.2-1.fc35 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| [SECURITY] Fedora 35 Update: golang-github-opencontainers-runc-1.1.2-1.fc35 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
|
| [SECURITY] [DLA 3369-1] runc security update |
MLIST |
lists.debian.org |
|
| [SECURITY] Fedora 36 Update: golang-github-opencontainers-runc-1.1.2-1.fc36 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| [SECURITY] Fedora 36 Update: golang-github-opencontainers-runc-1.1.2-1.fc36 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
|
| Merge pull request from GHSA-f3fp-gc8g-vw66 · opencontainers/runc@d04de3a · GitHub |
MISC |
github.com |
|
| Release v1.1.2 -- "I should think I’m going to be a perpetual student." · opencontainers/runc · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160213 Oracle Enterprise Linux Security Update for container-tools:4.0 (ELSA-2022-7469)
- 160233 Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2022-7457)
- 160310 Oracle Enterprise Linux Security Update for runc (ELSA-2022-8090)
- 180866 Debian Security Update for runc (CVE-2022-29162)
- 181640 Debian Security Update for runc (DLA 3369-1)
- 199528 Ubuntu Security Notification for runC Vulnerabilities (USN-6088-2)
- 240607 Red Hat OpenShift Container Platform 4.11 Security Update (RHSA-2022:5068)
- 240829 Red Hat Update for container-tools:rhel8 security (RHSA-2022:7457)
- 240847 Red Hat Update for container-tools:4.0 (RHSA-2022:7469)
- 240868 Red Hat Update for runc (RHSA-2022:8090)
- 282779 Fedora Security Update for golang (FEDORA-2022-e980dc71b1)
- 282780 Fedora Security Update for golang (FEDORA-2022-91b747a0d7)
- 282782 Fedora Security Update for golang (FEDORA-2022-d1f55f8fd0)
- 355453 Amazon Linux Security Advisory for runc : ALAS2023-2023-231
- 357241 Amazon Linux Security Advisory for runc : ALAS2023-2024-531
- 502184 Alpine Linux Security Update for runc
- 6140312 AWS Bottlerocket Security Update for runc (GHSA-v774-6wqv-56hv)
- 672019 EulerOS Security Update for docker-engine (EulerOS-SA-2022-2253)
- 672049 EulerOS Security Update for docker-engine (EulerOS-SA-2022-2240)
- 672098 EulerOS Security Update for docker-runc (EulerOS-SA-2022-2283)
- 672127 EulerOS Security Update for docker-runc (EulerOS-SA-2022-2312)
- 672327 EulerOS Security Update for docker-engine (EulerOS-SA-2022-2707)
- 752333 SUSE Enterprise Linux Security Update for containerd, docker and runc (SUSE-SU-2022:2341-1)
- 753186 SUSE Enterprise Linux Security Update for kubevirt (SUSE-SU-2022:3333-1)
- 753213 SUSE Enterprise Linux Security Update for kubevirt (SUSE-SU-2022:3321-1)
- 770161 Red Hat OpenShift Container Platform 4.1 Security Update (RHSA-2022:5068)
- 902047 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-runc (9819)
- 902050 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-runc (9817)
- 902288 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-runc (9817-1)
- 902485 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-runc (9819-1)
- 940774 AlmaLinux Security Update for container-tools:4.0 (ALSA-2022:7469)
- 940818 AlmaLinux Security Update for runc (ALSA-2022:8090)
- 960172 Rocky Linux Security Update for container-tools:rhel8 (RLSA-2022:7457)
- 960188 Rocky Linux Security Update for container-tools:4.0 (RLSA-2022:7469)
- 960642 Rocky Linux Security Update for runc (RLSA-2022:8090)
