Bug 2070368 (CVE-2022-1227) - CVE-2022-1227 psgo: Privilege escalation in 'podman top'
Summary: CVE-2022-1227 psgo: Privilege escalation in 'podman top'
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-1227
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2072247 2072248 2072249 2072250 2072251 2072252 2072253 2072254 2072255 2072256 2072257 2072258 2072259 2072260 2072261 2072262 2072263 2072264 2072265 2072266 2072267 2072268 2072269 2072270 2074089 2074135 2074136 2074137 2074138 2074139 2074140 2074141 2074142 2074143 2074144 2074145 2074146 2074147 2074148 2074164 2074165 2074725 2074726 2074727 2074728 2074729 2074730 2074731 2079741 2082011
Blocks: 2044679 2071612
TreeView+ depends on / blocked
 
Reported: 2022-03-30 23:13 UTC by Nick Tait
Modified: 2022-12-04 03:33 UTC (History)
39 users (show)

Fixed In Version: podman 4.0, psgo 1.7.2
Doc Type: If docs needed, set a value
Doc Text:
A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.
Clone Of:
Environment:
Last Closed: 2022-12-04 03:33:14 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:2176 0 None None None 2022-05-11 01:09:33 UTC
Red Hat Product Errata RHBA-2022:4920 0 None None None 2022-06-06 21:58:28 UTC
Red Hat Product Errata RHSA-2022:1762 0 None None None 2022-05-10 13:18:19 UTC
Red Hat Product Errata RHSA-2022:2143 0 None None None 2022-05-10 17:16:59 UTC
Red Hat Product Errata RHSA-2022:2190 0 None None None 2022-05-11 14:49:45 UTC
Red Hat Product Errata RHSA-2022:2263 0 None None None 2022-05-26 21:31:47 UTC
Red Hat Product Errata RHSA-2022:4651 0 None None None 2022-05-18 13:57:15 UTC
Red Hat Product Errata RHSA-2022:4816 0 None None None 2022-05-31 12:15:06 UTC
Red Hat Product Errata RHSA-2022:5622 0 None None None 2022-07-19 21:05:30 UTC

Description Nick Tait 2022-03-30 23:13:01 UTC 
For containers which utilize user namepsaces, running 'podman top' triggers the nsenter binary inside a container. The root issue is in github.com/containers/psgo. Podman top doesn't join the user namespace of the container. This could enable an attacker to create a malicious nsenter binary which provides erroneous results to podman top, make syscalls, and other operations beyond what is normally allowed for the container.
Comment 2 Nick Tait 2022-04-05 19:44:37 UTC 
Patch: https://github.com/containers/psgo/pull/92
Comment 10 Mauro Matteo Cascella 2022-04-11 16:04:05 UTC 
Upstream podman issue:
https://github.com/containers/podman/issues/10941
Comment 11 Mauro Matteo Cascella 2022-04-11 16:47:32 UTC 
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2074164]


Created podman-tui tracking bugs for this issue:

Affects: fedora-all [bug 2074165]
Comment 12 Nick Tait 2022-04-12 22:35:04 UTC 
Created cri-o:1.17/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074725]


Created cri-o:1.18/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074726]


Created cri-o:1.19/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074727]


Created cri-o:1.20/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074728]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074729]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074730]


Created cri-o:nightly/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074731]
Comment 18 errata-xmlrpc 2022-05-10 13:18:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1762 https://access.redhat.com/errata/RHSA-2022:1762
Comment 19 errata-xmlrpc 2022-05-10 17:16:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:2143 https://access.redhat.com/errata/RHSA-2022:2143
Comment 20 errata-xmlrpc 2022-05-11 14:49:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2022:2190 https://access.redhat.com/errata/RHSA-2022:2190
Comment 22 errata-xmlrpc 2022-05-18 13:57:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:4651 https://access.redhat.com/errata/RHSA-2022:4651
Comment 23 errata-xmlrpc 2022-05-26 21:31:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2022:2263 https://access.redhat.com/errata/RHSA-2022:2263
Comment 24 errata-xmlrpc 2022-05-31 12:15:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:4816 https://access.redhat.com/errata/RHSA-2022:4816
Comment 26 errata-xmlrpc 2022-07-19 21:05:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5622 https://access.redhat.com/errata/RHSA-2022:5622
Comment 29 Product Security DevOps Team 2022-12-04 03:33:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1227
Note You need to log in before you can comment on or make changes to this bug.