Bug 1747222 (CVE-2019-14271)

Summary: CVE-2019-14271 docker: nsswitch based config loaded inside chroot under Glibc
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adimania, admiller, amurdaca, andreas.bierfert, codonell, dbecker, dj, dwalsh, fkluknav, frantisek.kluknavsky, fweimer, ichavero, jcajka, jjoyce, jschluet, kbasil, lhh, lpeer, lsm5, marianne, mburns, nalin, pkhaire, puebele, santiago, sclewis, sisharma, slinaber, vbatts, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: docker 19.03.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in Docker if it is compiled with Go 1.11. During a `docker cp` command, the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container. An attacker could abuse this flaw by executing code with the root privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-09 09:42:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1747223, 1747224    
Bug Blocks: 1747225    

Description Pedro Sampaio 2019-08-30 00:12:02 UTC 
In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.

References:

https://docs.docker.com/engine/release-notes/
https://github.com/moby/moby/issues/39449
Comment 1 Pedro Sampaio 2019-08-30 00:12:21 UTC 
Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1747223]
Affects: openstack-rdo [bug 1747224]
Comment 2 Riccardo Schirone 2019-09-02 17:30:13 UTC 
Upstream PR:
https://github.com/moby/moby/pull/39612

Upstream patches:
https://github.com/moby/moby/commit/11e48badcb67554b3d795241855028f28d244545
Comment 5 Riccardo Schirone 2019-09-03 08:33:38 UTC 
According to upstream this flaw affects only versions that use Go 1.11 (see https://github.com/moby/moby/pull/39612#issuecomment-517999360).
Comment 6 Riccardo Schirone 2019-09-03 08:34:30 UTC 
Statement:

This issue did not affect the versions of docker as shipped with Red Hat Enterprise Linux 7 as they did not use Go 1.11.
Comment 7 Product Security DevOps Team 2019-09-09 09:42:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14271