Bug 1919050 (CVE-2021-20199)
Summary: | CVE-2021-20199 podman: Remote traffic to rootless containers is seen as orginating from localhost | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acui, aos-bugs, bbaude, bmontgom, container-sig, debarshir, dwalsh, eparis, jburrell, jligon, jnovy, jokerman, lsm5, mheon, nstielau, pthomas, rh.container.bot, santiago, security-response-team, sponnaga, tsweeney, umohnani |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | podman 3.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in podman. Rootless containers receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts) which impact containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. The highest threat from this vulnerability is to data integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-18 14:38:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1922865, 1922866, 1924134, 1924157 | ||
Bug Blocks: | 1918409 |
Description
Sam Fowler
2021-01-22 01:12:09 UTC
Upstream fix: https://github.com/rootless-containers/rootlesskit/pull/206 https://github.com/containers/podman/pull/9052 Mitigation: Configure containerized applications to require authentication for connections from all sources, including localhost. Created podman tracking bugs for this issue: Affects: fedora-all [bug 1922865] Statement: This issue does not affect Podman prior to version 1.8.0. Podman shipped in the following products are therefore not affected: * Red Hat Enterprise Linux 7 Extras * Red Hat Enterprise Linux 8 Container Tools stream 1.0 * Red Hat Enterprise Linux 8 Container Tools stream 2.0 * OpenShift Container Platform 3.11 * OpenShift Container Platform 4.1 to 4.5 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20199 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1796 https://access.redhat.com/errata/RHSA-2021:1796 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:7954 https://access.redhat.com/errata/RHSA-2022:7954 |