Vulnerability Details : CVE-2022-29162
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file.
Products affected by CVE-2022-29162
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-29162
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 12 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-29162
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
2.5
|
3.4
|
GitHub, Inc. |
CWE ids for CVE-2022-29162
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-29162
-
https://github.com/opencontainers/runc/releases/tag/v1.1.2
Release v1.1.2 -- "I should think I’m going to be a perpetual student." · opencontainers/runc · GitHubRelease Notes;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVPZBV7ISA7QKRPTC7ZXWKMIQI2HZEBB/
[SECURITY] Fedora 36 Update: golang-github-opencontainers-runc-1.1.2-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/opencontainers/runc/commit/d04de3a9b72d7a2455c1885fc75eb36d02cd17b5
Merge pull request from GHSA-f3fp-gc8g-vw66 · opencontainers/runc@d04de3a · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GPQU4YC4AAY54JDXGDQHJEYKSXXG5T2Y/
[SECURITY] Fedora 34 Update: golang-github-opencontainers-runc-1.1.2-1.fc34 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
[SECURITY] [DLA 3369-1] runc security update
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/D77CKD3AXPMU4PMQIQI5Q74SI4JATNND/
[SECURITY] Fedora 35 Update: golang-github-opencontainers-runc-1.1.2-1.fc35 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/opencontainers/runc/security/advisories/GHSA-f3fp-gc8g-vw66
Default inheritable capabilities for linux container should be empty · Advisory · opencontainers/runc · GitHubThird Party Advisory
Jump to