Incorrect Default Permissions Affecting container-tools:rhel8/runc package, versions <1:1.1.9-1.module+el8.9.0+19648+0d5ae0ec


Severity

Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.04% (15th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Incorrect Default Permissions vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RHEL8-CONTAINERTOOLS-5327031
  • published30 Mar 2023
  • disclosed29 Mar 2023

Introduced: 29 Mar 2023

CVE-2023-25809  (opens in a new tab)
CWE-276  (opens in a new tab)

How to fix?

Upgrade RHEL:8 container-tools:rhel8/runc to version 1:1.1.9-1.module+el8.9.0+19648+0d5ae0ec or higher.
This issue was patched in RHSA-2023:6939.

NVD Description

Note: Versions mentioned in the description apply only to the upstream container-tools:rhel8/runc package and not the container-tools:rhel8/runc package as distributed by RHEL. See How to fix? for RHEL:8 relevant fixed versions and status.

runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes /sys/fs/cgroup writable in following conditons: 1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add /sys/fs/cgroup to maskedPaths.

CVSS Scores

version 3.1