CVE-2023-25809
Summary
| CVE | CVE-2023-25809 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2023-03-29 19:15:00 UTC |
|---|
| Updated | 2023-11-07 04:09:00 UTC |
|---|
| Description | runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared · Advisory · opencontainers/runc · GitHub |
MISC |
github.com |
|
| Merge pull request from GHSA-m8cg-xc2p-r3fc · opencontainers/runc@0d62b95 · GitHub |
MISC |
github.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 160789 Oracle Enterprise Linux Security Update for aardvark-dns (ELSA-2023-12579)
- 160797 Oracle Enterprise Linux Security Update for buildah (ELSA-2023-12578)
- 161114 Oracle Enterprise Linux Security Update for runc (ELSA-2023-6380)
- 161175 Oracle Enterprise Linux Security Update for container-tools:ol8 (ELSA-2023-6939)
- 161187 Oracle Enterprise Linux Security Update for container-tools:4.0 (ELSA-2023-6938)
- 184463 Debian Security Update for runc (CVE-2023-25809)
- 199349 Ubuntu Security Notification for runC Vulnerabilities (USN-6088-1)
- 199528 Ubuntu Security Notification for runC Vulnerabilities (USN-6088-2)
- 242301 Red Hat Update for runc (RHSA-2023:6380)
- 242415 Red Hat Update for container-tools:rhel8 (RHSA-2023:6939)
- 242458 Red Hat Update for container-tools:4.0 (RHSA-2023:6938)
- 355356 Amazon Linux Security Advisory for runc : ALAS2NITRO-ENCLAVES-2023-024
- 355359 Amazon Linux Security Advisory for runc : ALAS2DOCKER-2023-025
- 355440 Amazon Linux Security Advisory for runc : ALAS2023-2023-208
- 355564 Amazon Linux Security Advisory for runc : ALAS2ECS-2023-004
- 379641 Alibaba Cloud Linux Security Update for container-tools:rhel8 (ALINUX3-SA-2024:0050)
- 502953 Alpine Linux Security Update for runc
- 503262 Alpine Linux Security Update for runc
- 506236 Alpine Linux Security Update for runc
- 6140277 AWS Bottlerocket Security Update for runc (GHSA-f9r5-4wpx-x2g8)
- 753943 SUSE Enterprise Linux Security Update for runc (SUSE-SU-2023:2003-1)
- 906779 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-runc (25887-1)
- 906855 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-runc (25851-1)
- 941400 AlmaLinux Security Update for runc (ALSA-2023:6380)
- 941444 AlmaLinux Security Update for container-tools:4.0 (ALSA-2023:6938)
- 941481 AlmaLinux Security Update for container-tools:rhel8 (ALSA-2023:6939)
