| Summary: | CVE-2020-14370 podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aos-bugs, bbaude, bmontgom, debarshir, dwalsh, eparis, jburrell, jligon, jnovy, jokerman, lsm5, mheon, nstielau, rh.container.bot, rschiron, santiago, security-response-team, sponnaga, tsweeney, umohnani |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | podman 2.0.5 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An information disclosure flaw was found in containers/podman. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container leak into subsequent containers. This flaw allows an attacker who controls the subsequent containers to gain access to sensitive information stored in such variables. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 20:21:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Bug Depends On: | 1898991, 1898992, 1874270, 1874271, 1874272, 1876286, 1877296, 1881062, 1881345 | ||
| Bug Blocks: | 1862323 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-08-31 20:45:00 UTC
The flaw lies in pkg/spec/spec.go:createConfigToOCISpec() function, where the variable DefaultEnvVariables of the env package is used and modified without making a copy of it. Thus when creating multiple containers in such a way that createConfigToOCISpec() is used, variables defined for previously created containers are leaked to newer containers. Function createConfigToOCISpec() is used by varlink API or by the REST API, in particular the Docker-compatible API. Upstream patch: https://github.com/containers/podman/commit/a7e864e6e7de894d4edde4fff00e53dc6a0b5074 To actually get access to possible secrets passed through environment variables, an attacker would require access to containers in the infrastructure, created in such a way to trigger this flaw. By default, in Red Hat Enterprise Linux 8 when using the podman socket/service through systemd, the varlink session automatically expires after 60 seconds, so to leak environment variables from one container to another they have to be created in a short time. Created podman tracking bugs for this issue: Affects: fedora-all [bug 1881345] This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4297 https://access.redhat.com/errata/RHSA-2020:4297 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14370 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:5056 https://access.redhat.com/errata/RHSA-2020:5056 Statement: Whilst OpenShift Container Platform (OCP) does include podman, the Varlink API is not enabled by default. However, as it is trivial to activate this feature, OCP has been marked as affected. OCP 3.11 has previously packaged podman, but instead now relies on the version from rhel-extra.The older version previously packaged is not vulnerable to this CVE and hence has been marked not affected. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0531 https://access.redhat.com/errata/RHSA-2021:0531 |