Vulnerability Details : CVE-2022-24769
Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.
Products affected by CVE-2022-24769
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*
- cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24769
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24769
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
2.5
|
3.4
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
2.5
|
3.4
|
GitHub, Inc. |
CWE ids for CVE-2022-24769
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by:
- nvd@nist.gov (Secondary)
- security-advisories@github.com (Primary)
References for CVE-2022-24769
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/
[SECURITY] Fedora 35 Update: containerd-1.6.2-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.debian.org/security/2022/dsa-5162
Debian -- Security Information -- DSA-5162-1 containerdThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/
[SECURITY] Fedora 34 Update: containerd-1.6.2-2.fc34 - package-announce - Fedora Mailing-Lists
-
https://github.com/moby/moby/releases/tag/v20.10.14
Release v20.10.14 · moby/moby · GitHubRelease Notes;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/
[SECURITY] Fedora 35 Update: moby-engine-20.10.14-1.fc35 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/
[SECURITY] Fedora 34 Update: moby-engine-20.10.14-1.fc34 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://security.gentoo.org/glsa/202401-31
containerd: Multiple Vulnerabilities (GLSA 202401-31) — Gentoo security
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY/
[SECURITY] Fedora 35 Update: moby-engine-20.10.14-1.fc35 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL/
[SECURITY] Fedora 35 Update: containerd-1.6.2-1.fc35 - package-announce - Fedora Mailing-Lists
-
https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq
Default inheritable capabilities for linux container should be empty · Advisory · moby/moby · GitHubMitigation;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/
[SECURITY] Fedora 36 Update: moby-engine-20.10.14-1.fc36 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG/
[SECURITY] Fedora 34 Update: moby-engine-20.10.14-1.fc34 - package-announce - Fedora Mailing-Lists
-
http://www.openwall.com/lists/oss-security/2022/05/12/1
oss-security - CVE-2022-29162: runc < 1.1.2 incorrect handling of inheritable capabilities in default configurationMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/
[SECURITY] Fedora 36 Update: containerd-1.6.2-1.fc36 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7/
[SECURITY] Fedora 36 Update: moby-engine-20.10.14-1.fc36 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH/
[SECURITY] Fedora 36 Update: containerd-1.6.2-1.fc36 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC/
[SECURITY] Fedora 34 Update: containerd-1.6.2-2.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f
Merge pull request from GHSA-2mm7-x5h6-5pvq · moby/moby@2bbc786 · GitHubPatch;Third Party Advisory
Jump to