Bug 1666565 (CVE-2018-20699)
Summary: | CVE-2018-20699 docker: Memory exhaustion via large integer used with --cpuset-mems or --cpuset-cpus | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | amurdaca, dominik.mierzejewski, dwalsh, lsm5, pasik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:45:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1666566, 1666567, 1666568, 1667625, 1671333 | ||
Bug Blocks: | 1666569 |
Description
Sam Fowler
2019-01-16 03:54:03 UTC
Created docker tracking bugs for this issue: Affects: epel-6 [bug 1666568] Affects: fedora-all [bug 1666566] Created docker:2017.0/docker tracking bugs for this issue: Affects: fedora-all [bug 1666567] Function isCpusetListAvailable() in pkg/sysinfo/sysinfo.go uses pkg/parsers/parsers.go:ParseUintList() function to parse the value passed through the --cpuset-mems docker option. ParseUintList() returns a map with each element in the list mapped to true/false. When the list is too big, the daemon tries to allocate such map, using all available memory and causing a crash. Even though, in general, a user needs to be root or have high privilege to run docker commands, it was considered anyway a security issue as there are docker plugins to enable authentication and allow users to perform a subset of the APIs dockerd provides. This would allow a non-privileged user to crash the dockerd daemon itself. Statement: This issue affects the versions of docker as shipped with Red Hat Enterprise Linux 7, however if docker is accessible only by root or highly privileged users, as it is by default, a low-privileged attacker will not be able to trigger the flaw. Decreasing Impact to Low because normally Docker is accessible only by root or by high-privileges users. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2019:0487 https://access.redhat.com/errata/RHSA-2019:0487 |