Bug 1666565 (CVE-2018-20699)

Summary: CVE-2018-20699 docker: Memory exhaustion via large integer used with --cpuset-mems or --cpuset-cpus
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: amurdaca, dominik.mierzejewski, dwalsh, lsm5, pasik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:45:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1666566, 1666567, 1666568, 1667625, 1671333    
Bug Blocks: 1666569    

Description Sam Fowler 2019-01-16 03:54:03 UTC 
Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. 


References:

https://github.com/docker/engine/pull/70
https://github.com/moby/moby/pull/37967
Comment 1 Sam Fowler 2019-01-16 03:54:36 UTC 
Created docker tracking bugs for this issue:

Affects: epel-6 [bug 1666568]
Affects: fedora-all [bug 1666566]


Created docker:2017.0/docker tracking bugs for this issue:

Affects: fedora-all [bug 1666567]
Comment 2 Antonio Murdaca 2019-01-18 16:14:24 UTC 
Fixed via https://github.com/projectatomic/docker/commit/11e17d3b79bc450a52d5e1dd1c1444f7ebe5f751
Comment 4 Riccardo Schirone 2019-01-31 12:25:01 UTC 
Function isCpusetListAvailable() in pkg/sysinfo/sysinfo.go uses pkg/parsers/parsers.go:ParseUintList() function to parse the value passed through the --cpuset-mems docker option. ParseUintList() returns a map with each element in the list mapped to true/false. When the list is too big, the daemon tries to allocate such map, using all available memory and causing a crash.
Comment 6 Riccardo Schirone 2019-01-31 12:28:14 UTC 
Even though, in general, a user needs to be root or have high privilege to run docker commands, it was considered anyway a security issue as there are docker plugins to enable authentication and allow users to perform a subset of the APIs dockerd provides. This would allow a non-privileged user to crash the dockerd daemon itself.
Comment 7 Riccardo Schirone 2019-01-31 12:31:18 UTC 
Statement:

This issue affects the versions of docker as shipped with Red Hat Enterprise Linux 7, however if docker is accessible only by root or highly privileged users, as it is by default, a low-privileged attacker will not be able to trigger the flaw.
Comment 8 Riccardo Schirone 2019-02-18 08:09:52 UTC 
Decreasing Impact to Low because normally Docker is accessible only by root or by high-privileges users.
Comment 9 errata-xmlrpc 2019-03-13 01:52:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:0487 https://access.redhat.com/errata/RHSA-2019:0487