SUSE update for containerd
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-29162 CVE-2022-31030 |
| CWE-ID | CWE-264 CWE-400 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
SUSE Linux Enterprise Server for SAP Applications Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing Operating systems & Components / Operating system SUSE Linux Enterprise Module for Containers Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system runc-debuginfo Operating systems & Components / Operating system package or component runc Operating systems & Components / Operating system package or component docker-debuginfo Operating systems & Components / Operating system package or component docker Operating systems & Components / Operating system package or component containerd Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU63090
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29162
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to containers are incorrectly started with non-empty inheritable Linux process capabilities, which leads to security restrictions bypass and privilege escalation.
MitigationUpdate the affected package containerd to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications: 12 - 12-SP5
SUSE Linux Enterprise High Performance Computing: 12
SUSE Linux Enterprise Module for Containers: 12
SUSE Linux Enterprise Server: 12 SP2-LTSS-ERICSSON - 12-SP5
runc-debuginfo: before 1.1.3-16.21.1
runc: before 1.1.3-16.21.1
docker-debuginfo: before 20.10.17_ce-98.83.1
docker: before 20.10.17_ce-98.83.1
containerd: before 1.6.6-16.62.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222165-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource exhaustion
EUVDB-ID: #VU64007
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-31030
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the ExecSync API. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationUpdate the affected package containerd to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server for SAP Applications: 12 - 12-SP5
SUSE Linux Enterprise High Performance Computing: 12
SUSE Linux Enterprise Module for Containers: 12
SUSE Linux Enterprise Server: 12 SP2-LTSS-ERICSSON - 12-SP5
runc-debuginfo: before 1.1.3-16.21.1
runc: before 1.1.3-16.21.1
docker-debuginfo: before 20.10.17_ce-98.83.1
docker: before 20.10.17_ce-98.83.1
containerd: before 1.6.6-16.62.1
External linkshttp://www.suse.com/support/update/announcement/2022/suse-su-20222165-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
