vulnerability

CentOS Linux: CVE-2023-25809: Moderate: runc security update (Multiple Advisories)

Try Surface Command
Back to search
Severity
4
CVSS
(AV:L/AC:L/Au:S/C:P/I:P/A:P)
Published
2023-03-29
Added
2023-11-08
Modified
2025-01-28

Description

runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`.

Solution(s)

centos-upgrade-aardvark-dnscentos-upgrade-buildahcentos-upgrade-buildah-debuginfocentos-upgrade-buildah-debugsourcecentos-upgrade-buildah-testscentos-upgrade-buildah-tests-debuginfocentos-upgrade-cockpit-podmancentos-upgrade-conmoncentos-upgrade-conmon-debuginfocentos-upgrade-conmon-debugsourcecentos-upgrade-container-selinuxcentos-upgrade-containernetworking-pluginscentos-upgrade-containernetworking-plugins-debuginfocentos-upgrade-containernetworking-plugins-debugsourcecentos-upgrade-containers-commoncentos-upgrade-critcentos-upgrade-criucentos-upgrade-criu-debuginfocentos-upgrade-criu-debugsourcecentos-upgrade-criu-develcentos-upgrade-criu-libscentos-upgrade-criu-libs-debuginfocentos-upgrade-cruncentos-upgrade-crun-debuginfocentos-upgrade-crun-debugsourcecentos-upgrade-fuse-overlayfscentos-upgrade-fuse-overlayfs-debuginfocentos-upgrade-fuse-overlayfs-debugsourcecentos-upgrade-libslirpcentos-upgrade-libslirp-debuginfocentos-upgrade-libslirp-debugsourcecentos-upgrade-libslirp-develcentos-upgrade-netavarkcentos-upgrade-oci-seccomp-bpf-hookcentos-upgrade-oci-seccomp-bpf-hook-debuginfocentos-upgrade-oci-seccomp-bpf-hook-debugsourcecentos-upgrade-podmancentos-upgrade-podman-catatonitcentos-upgrade-podman-catatonit-debuginfocentos-upgrade-podman-debuginfocentos-upgrade-podman-debugsourcecentos-upgrade-podman-dockercentos-upgrade-podman-gvproxycentos-upgrade-podman-gvproxy-debuginfocentos-upgrade-podman-pluginscentos-upgrade-podman-plugins-debuginfocentos-upgrade-podman-remotecentos-upgrade-podman-remote-debuginfocentos-upgrade-podman-testscentos-upgrade-python3-criucentos-upgrade-python3-podmancentos-upgrade-runccentos-upgrade-runc-debuginfocentos-upgrade-runc-debugsourcecentos-upgrade-skopeocentos-upgrade-skopeo-debuginfocentos-upgrade-skopeo-debugsourcecentos-upgrade-skopeo-testscentos-upgrade-slirp4netnscentos-upgrade-slirp4netns-debuginfocentos-upgrade-slirp4netns-debugsourcecentos-upgrade-toolboxcentos-upgrade-toolbox-debuginfocentos-upgrade-toolbox-debugsourcecentos-upgrade-toolbox-testscentos-upgrade-udica

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today