SUSE update for containerd, docker, runc
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 CVE-2019-16884 CVE-2019-19921 CVE-2019-5736 CVE-2021-21284 CVE-2021-21285 CVE-2021-21334 |
| CWE-ID | CWE-77 CWE-22 CWE-20 CWE-264 CWE-284 CWE-400 CWE-399 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. |
| Vulnerable software Subscribe |
SUSE Linux Enterprise Module for Containers Operating systems & Components / Operating system runc-debuginfo Operating systems & Components / Operating system package or component runc Operating systems & Components / Operating system package or component docker-debuginfo Operating systems & Components / Operating system package or component docker Operating systems & Components / Operating system package or component containerd Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Command injection
EUVDB-ID: #VU16545
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16873
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The vulnerability exists in the go get command due to import path of a malicious Go package, or a package that imports it directly or indirectly. A remote unauthenticated attacker can use a vanity import path that ends with "/.git", use custom domains to arrange things so that a Git repository is cloned to a folder named ".git", trick the victim into considering the parent directory as a repository root, and run Git commands on it that will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, and execute arbitrary code on the system running "go get -u".
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package containerd, docker, runc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Containers: 12
runc-debuginfo: before 1.0.0~rc93-16.8.1
runc: before 1.0.0~rc93-16.8.1
docker-debuginfo: before 20.10.6_ce-98.66.1
docker: before 20.10.6_ce-98.66.1
containerd: before 1.4.4-16.38.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Path traversal
EUVDB-ID: #VU16544
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16874
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct a directory traversal attack on the target system.
The vulnerability exists in the go get command due to path traversal attack when the affected software executes the go get command with the import path of a Go package that contains curly braces. A remote unauthenticated attacker can execute the go get command, trick the victim into accessing a Go package that submits malicious input, conduct a directory traversal attack, which the attacker can use to execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package containerd, docker, runc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Containers: 12
runc-debuginfo: before 1.0.0~rc93-16.8.1
runc: before 1.0.0~rc93-16.8.1
docker-debuginfo: before 20.10.6_ce-98.66.1
docker: before 20.10.6_ce-98.66.1
containerd: before 1.4.4-16.38.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper input validation
EUVDB-ID: #VU16546
Risk: Low
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-16875
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists on Go TLS servers accepting client certificates and TLS clients due to the crypto/x509 package does not limit the amount of work performed for each chain verification. A remote unauthenticated attacker can craft pathological inputs leading to a CPU denial of service.
MitigationUpdate the affected package containerd, docker, runc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Containers: 12
runc-debuginfo: before 1.0.0~rc93-16.8.1
runc: before 1.0.0~rc93-16.8.1
docker-debuginfo: before 20.10.6_ce-98.66.1
docker: before 20.10.6_ce-98.66.1
containerd: before 1.4.4-16.38.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU22482
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-16884
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect checking of the mount targets in libcontainer/rootfs_linux.go in runc. A local user can bypass AppArmor restrictions and perform unauthorized actions on the system, as demonstrated by overwriting the /proc directory with a malicious Doker image.
MitigationUpdate the affected package containerd, docker, runc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Containers: 12
runc-debuginfo: before 1.0.0~rc93-16.8.1
runc: before 1.0.0~rc93-16.8.1
docker-debuginfo: before 20.10.6_ce-98.66.1
docker: before 20.10.6_ce-98.66.1
containerd: before 1.4.4-16.38.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper access control
EUVDB-ID: #VU25847
Risk: Low
CVSSv3.1: 6 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-19921
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain unauthorized access to sensitive information.
The vulnerability exists due to improper access restrictions, related to libcontainer/rootfs_linux.go in runc. A local user with ability to spawn two containers with custom volume-mount configurations, and run custom images can escalate privileges on the system.
Update the affected package containerd, docker, runc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Containers: 12
runc-debuginfo: before 1.0.0~rc93-16.8.1
runc: before 1.0.0~rc93-16.8.1
docker-debuginfo: before 20.10.6_ce-98.66.1
docker: before 20.10.6_ce-98.66.1
containerd: before 1.4.4-16.38.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Privilege escalation
EUVDB-ID: #VU17474
Risk: Medium
CVSSv3.1: 7.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2019-5736
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges.
The weakness exists in the runc container runtime due to file-descriptor mishandling, related to /proc/self/exe. A remote attacker can leverage the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec, overwrite the host runc binary with minimal user interaction and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package containerd, docker, runc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Containers: 12
runc-debuginfo: before 1.0.0~rc93-16.8.1
runc: before 1.0.0~rc93-16.8.1
docker-debuginfo: before 20.10.6_ce-98.66.1
docker: before 20.10.6_ce-98.66.1
containerd: before 1.4.4-16.38.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
7) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU50273
Risk: Medium
CVSSv3.1: 7 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21284
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions when using the --userns-remap option. A remote authenticated attacker on the local network can send a specially crafted request and gain elevated privileges as root on the system.
MitigationUpdate the affected package containerd, docker, runc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Containers: 12
runc-debuginfo: before 1.0.0~rc93-16.8.1
runc: before 1.0.0~rc93-16.8.1
docker-debuginfo: before 20.10.6_ce-98.66.1
docker: before 20.10.6_ce-98.66.1
containerd: before 1.4.4-16.38.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Resource exhaustion
EUVDB-ID: #VU50274
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21285
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick a victim to pull a specially crafted Docker image, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package containerd, docker, runc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Containers: 12
runc-debuginfo: before 1.0.0~rc93-16.8.1
runc: before 1.0.0~rc93-16.8.1
docker-debuginfo: before 20.10.6_ce-98.66.1
docker: before 20.10.6_ce-98.66.1
containerd: before 1.4.4-16.38.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Resource management error
EUVDB-ID: #VU51242
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21334
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows an attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect management of internal resources. Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. MitigationUpdate the affected package containerd, docker, runc to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Module for Containers: 12
runc-debuginfo: before 1.0.0~rc93-16.8.1
runc: before 1.0.0~rc93-16.8.1
docker-debuginfo: before 20.10.6_ce-98.66.1
docker: before 20.10.6_ce-98.66.1
containerd: before 1.4.4-16.38.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
