Back to bug 1390163
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Andrej Nemec | 2016-10-31 11:27:59 UTC | Depends On | 1390104 | |
| Florian Weimer | 2016-10-31 19:41:51 UTC | CC | fweimer | |
| PnT Account Manager | 2018-06-29 22:15:39 UTC | CC | kseifried | |
| Product Security DevOps Team | 2019-06-08 03:01:41 UTC | Status | NEW | CLOSED |
| Resolution | --- | NOTABUG | ||
| Last Closed | 2019-06-08 03:01:41 UTC | |||
| Product Security DevOps Team | 2019-09-29 13:59:56 UTC | Whiteboard | impact=moderate,public=20161024,reported=20161031,source=redhat,cvss2=4.4/AV:L/AC:M/Au:N/C:P/I:P/A:P,cvss3=5.3/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L,openshift-enterprise-3/docker=notaffected,rhel-7/docker=notaffected,fedora-all/docker=affected,epel-6/docker=notaffected | |
| Roel van de Kraats | 2020-03-23 14:50:18 UTC | CC | rhbug | |
| Troy Dawson | 2020-03-23 16:33:02 UTC | CC | tdawson | |
| Tomas Hoger | 2020-06-19 10:39:57 UTC | Blocks | 1848236 | |
| Tomas Hoger | 2020-06-19 15:40:45 UTC | Depends On | 1849099 | |
| Jason Shepherd | 2020-06-22 00:35:48 UTC | Doc Text | Ambient capabilities allow unprivileged child processes to inherit capabilities. Runc disables ambient capabilities but due to a regression in the build flags in the docker-1.13.1-108.git4ef4b30.el7.centos.x86_64 docker containers run with that version have extra capabilities they shouldn't have. | |
| Jason Shepherd | 2020-06-22 00:40:19 UTC | Doc Text | Ambient capabilities allow unprivileged child processes to inherit capabilities. Runc disables ambient capabilities but due to a regression in the build flags in the docker-1.13.1-108.git4ef4b30.el7.centos.x86_64 docker containers run with that version have extra capabilities they shouldn't have. | Ambient capabilities allow unprivileged child processes to inherit capabilities. Runc disables ambient capabilities but due to a regression in the build flags in the docker-1.13.1-108.git4ef4b30.el7 docker containers run with that version have extra capabilities they shouldn't have. |
| Jason Shepherd | 2020-06-22 00:49:13 UTC | Priority | medium | high |
| Severity | medium | high | ||
| Sam Fowler | 2020-06-22 02:00:31 UTC | CC | jokerman | |
| Tomas Hoger | 2020-06-22 08:21:15 UTC | Status | CLOSED | NEW |
| Resolution | NOTABUG | --- | ||
| Keywords | Reopened | |||
| Alex Jia | 2020-06-22 15:53:58 UTC | CC | ajia | |
| RaTasha Tillery-Smith | 2020-06-23 15:44:45 UTC | CC | rtillery | |
| Doc Text | Ambient capabilities allow unprivileged child processes to inherit capabilities. Runc disables ambient capabilities but due to a regression in the build flags in the docker-1.13.1-108.git4ef4b30.el7 docker containers run with that version have extra capabilities they shouldn't have. | An incorrect setting of ambient capabilities caused unprivileged non-root processes inside a container to run with unexpected capabilities, allowing them to escalate their privileges inside that container to root. When this issue was originally reported in 2016, it did not affect any version of docker packages shipped with Red Hat Enterprise Linux 7 Extras at that time. Due to the regression, the docker-1.13.1-108.git4ef4b30.el7 packages became vulnerable to these privilege escalations within the container. This specific build is the only one containing the regression, and the only version affected by this issue. This issue can be mitigated by restricting the set of capabilities available to processes inside containers using the --cap-add and --cap-drop options. However, as such restrictions apply to both non-root and root processes, the set of capabilities that can be dropped without breaking intended functionality has to be determined for each container and may not prevent privilege escalation. Red Hat recommends that users install fixed docker packages instead of using this mitigation. |
||
| RaTasha Tillery-Smith | 2020-06-23 19:14:59 UTC | Doc Text | An incorrect setting of ambient capabilities caused unprivileged non-root processes inside a container to run with unexpected capabilities, allowing them to escalate their privileges inside that container to root. When this issue was originally reported in 2016, it did not affect any version of docker packages shipped with Red Hat Enterprise Linux 7 Extras at that time. Due to the regression, the docker-1.13.1-108.git4ef4b30.el7 packages became vulnerable to these privilege escalations within the container. This specific build is the only one containing the regression, and the only version affected by this issue. This issue can be mitigated by restricting the set of capabilities available to processes inside containers using the --cap-add and --cap-drop options. However, as such restrictions apply to both non-root and root processes, the set of capabilities that can be dropped without breaking intended functionality has to be determined for each container and may not prevent privilege escalation. Red Hat recommends that users install fixed docker packages instead of using this mitigation. | An incorrect setting of ambient capabilities caused unprivileged non-root processes inside a container to run with unexpected capabilities, allowing them to escalate their privileges inside that container to root. When this issue was originally reported in 2016, it did not affect any version of docker packages shipped with Red Hat Enterprise Linux 7 Extras at that time. Due to the regression, the docker-1.13.1-108.git4ef4b30.el7 packages became vulnerable to these privilege escalations within the container. This specific build is the only one containing the regression, and the only version affected by this issue. |
| errata-xmlrpc | 2020-06-23 19:43:22 UTC | Link ID | Red Hat Product Errata RHSA-2020:2653 | |
| Product Security DevOps Team | 2020-06-23 23:20:23 UTC | Status | NEW | CLOSED |
| Resolution | --- | ERRATA | ||
| Last Closed | 2019-06-08 03:01:41 UTC | 2020-06-23 23:20:23 UTC | ||
| Tomas Hoger | 2020-06-24 09:33:17 UTC | Doc Text | An incorrect setting of ambient capabilities caused unprivileged non-root processes inside a container to run with unexpected capabilities, allowing them to escalate their privileges inside that container to root. When this issue was originally reported in 2016, it did not affect any version of docker packages shipped with Red Hat Enterprise Linux 7 Extras at that time. Due to the regression, the docker-1.13.1-108.git4ef4b30.el7 packages became vulnerable to these privilege escalations within the container. This specific build is the only one containing the regression, and the only version affected by this issue. | The runc version as used in docker 1.12.2 was incorrectly setting ambient capabilities for all processes executed inside containers. This caused processes of non-root users to run with unexpected privileges, allowing them to escalate their privileges to root. |
| Dave Baker | 2020-06-25 14:56:40 UTC | Depends On | 1851083 | |
| errata-xmlrpc | 2020-06-29 16:56:49 UTC | Link ID | Red Hat Product Errata RHBA-2020:2762 |
Back to bug 1390163