Bug 1874268 (CVE-2020-14370)

Summary: CVE-2020-14370 podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, bbaude, bmontgom, debarshir, dwalsh, eparis, jburrell, jligon, jnovy, jokerman, lsm5, mheon, nstielau, rh.container.bot, rschiron, santiago, security-response-team, sponnaga, tsweeney, umohnani
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: podman 2.0.5 Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in containers/podman. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container leak into subsequent containers. This flaw allows an attacker who controls the subsequent containers to gain access to sensitive information stored in such variables. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 20:21:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1898991, 1898992, 1874270, 1874271, 1874272, 1876286, 1877296, 1881062, 1881345    
Bug Blocks: 1862323    

Description Guilherme de Almeida Suckevicz 2020-08-31 20:45:00 UTC 
A flaw was discovered in Podman before upstream version 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first containers will get leaked into subsequent containers. An attacker who has control over those subsequent containers may get access to secrets shared with previous containers through environment variables.
Comment 4 Riccardo Schirone 2020-09-21 10:59:00 UTC 
The flaw lies in pkg/spec/spec.go:createConfigToOCISpec() function, where the variable DefaultEnvVariables of the env package is used and modified without making a copy of it. Thus when creating multiple containers in such a way that createConfigToOCISpec() is used, variables defined for previously created containers are leaked to newer containers.

Function createConfigToOCISpec() is used by varlink API or by the REST API, in particular the Docker-compatible API.
Comment 5 Riccardo Schirone 2020-09-21 11:03:02 UTC 
Upstream patch:
https://github.com/containers/podman/commit/a7e864e6e7de894d4edde4fff00e53dc6a0b5074
Comment 8 Riccardo Schirone 2020-09-21 13:58:56 UTC 
To actually get access to possible secrets passed through environment variables, an attacker would require access to containers in the infrastructure, created in such a way to trigger this flaw.
Comment 9 Riccardo Schirone 2020-09-21 14:29:07 UTC 
By default, in Red Hat Enterprise Linux 8 when using the podman socket/service through systemd, the varlink session automatically expires after 60 seconds, so to leak environment variables from one container to another they have to be created in a short time.
Comment 11 Riccardo Schirone 2020-09-22 08:43:28 UTC 
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1881345]
Comment 12 errata-xmlrpc 2020-10-27 14:54:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4297 https://access.redhat.com/errata/RHSA-2020:4297
Comment 13 Product Security DevOps Team 2020-10-27 20:21:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14370
Comment 14 errata-xmlrpc 2020-11-10 13:54:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:5056 https://access.redhat.com/errata/RHSA-2020:5056
Comment 19 Mark Cooper 2020-12-12 03:01:23 UTC 
Statement:

Whilst OpenShift Container Platform (OCP) does include podman, the Varlink API is not enabled by default. However, as it is trivial to activate this feature, OCP has been marked as affected.

OCP 3.11 has previously packaged podman, but instead now relies on the version from rhel-extra.The older version previously packaged is not vulnerable to this CVE and hence has been marked not affected.
Comment 20 errata-xmlrpc 2021-02-16 14:21:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:0531 https://access.redhat.com/errata/RHSA-2021:0531