VULNERABILITY

Oracle Linux: CVE-2023-27561: ELSA-2023-6380: runc security update (MODERATE) (Multiple Advisories)

Try Surface Command Get a continuous 360° view of your attack surface

Back to Search

Oracle Linux: CVE-2023-27561: ELSA-2023-6380: runc security update (MODERATE) (Multiple Advisories)

Severity

CVSS

(AV:L/AC:H/Au:S/C:C/I:C/A:C)

Published

02/20/2023

Created

07/21/2023

Added

07/20/2023

Modified

01/07/2025

Description

runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume.

Solution(s)

oracle-linux-upgrade-aardvark-dns
oracle-linux-upgrade-buildah
oracle-linux-upgrade-buildah-tests
oracle-linux-upgrade-cockpit-podman
oracle-linux-upgrade-conmon
oracle-linux-upgrade-containernetworking-plugins
oracle-linux-upgrade-containers-common
oracle-linux-upgrade-container-selinux
oracle-linux-upgrade-crit
oracle-linux-upgrade-criu
oracle-linux-upgrade-criu-devel
oracle-linux-upgrade-criu-libs
oracle-linux-upgrade-crun
oracle-linux-upgrade-fuse-overlayfs
oracle-linux-upgrade-libslirp
oracle-linux-upgrade-libslirp-devel
oracle-linux-upgrade-netavark
oracle-linux-upgrade-oci-seccomp-bpf-hook
oracle-linux-upgrade-podman
oracle-linux-upgrade-podman-catatonit
oracle-linux-upgrade-podman-docker
oracle-linux-upgrade-podman-gvproxy
oracle-linux-upgrade-podman-plugins
oracle-linux-upgrade-podman-remote
oracle-linux-upgrade-podman-tests
oracle-linux-upgrade-python3-criu
oracle-linux-upgrade-python3-podman
oracle-linux-upgrade-runc
oracle-linux-upgrade-skopeo
oracle-linux-upgrade-skopeo-tests
oracle-linux-upgrade-slirp4netns
oracle-linux-upgrade-udica

References

https://attackerkb.com/topics/cve-2023-27561
CVE - 2023-27561
ELSA-2023-6380
ELSA-2023-6938
ELSA-2023-12579
ELSA-2023-12578
ELSA-2023-6939

Advanced vulnerability management analytics and reporting.

Key Features

Lightweight Endpoint Agent
Live Dashboards
Real Risk Prioritization
IT-Integrated Remediation Projects
Cloud, Virtual, and Container Assessment
Integrated Threat Feeds
Easy-to-Use RESTful API
Automation-Assisted Patching
Automated Containment

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;

VULNERABILITY

Oracle Linux: CVE-2023-27561: ELSA-2023-6380: runc security update (MODERATE) (Multiple Advisories)

Oracle Linux: CVE-2023-27561: ELSA-2023-6380: runc security update (MODERATE) (Multiple Advisories)

Description

Solution(s)

References

Submit your information and we will get in touch with you.

Thank you for contacting us.

We will be in touch shortly.