SB2023040505 - Multiple vulnerabilities in Moby
Published: April 5, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Missing Encryption of Sensitive Data (CVE-ID: CVE-2023-28841)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to missing encryption of sensitive data within the overlay network driver. A remote attacker can gain unauthorized access to sensitive information on the system.
2) Unprotected Alternate Channel (CVE-ID: CVE-2023-28840)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to unprotected alternate channel within encrypted overlay networks. A remote attacker can inject arbitrary Ethernet frames into the encrypted overlay network and perform a denial of service (DoS) attack.
3) Unprotected Alternate Channel (CVE-ID: CVE-2023-28842)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to unprotected alternate channel within encrypted overlay networks. A remote attacker can inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams.
Remediation
Install update from vendor's website.
References
- https://github.com/moby/moby/security/advisories/GHSA-6wrf-mxfj-pf5p
- https://github.com/moby/libnetwork/security/advisories/GHSA-gvm4-2qqg-m333
- https://github.com/moby/moby/issues/43382
- https://github.com/moby/moby/security/advisories/GHSA-232p-vwff-86mp
- https://github.com/moby/moby/security/advisories/GHSA-vwm3-crmr-xfxw
- https://github.com/moby/moby/security/advisories/GHSA-33pg-m6jh-5237
- https://github.com/moby/moby/pull/45118
- https://github.com/moby/libnetwork/blob/d9fae4c73daf76c3b0f77e14b45b8bf612ba764d/drivers/overlay/encryption.go#L205-L207