Bug 1954736 (CVE-2021-30465)
Summary: | CVE-2021-30465 runc: vulnerable to symlink exchange attack | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | ajia, amurdaca, aos-bugs, bbaude, bmontgom, cperry, dwalsh, eparis, fcanogab, gghezzo, gparvin, gscrivan, jburrell, jchaloup, jnovy, jokerman, jramanat, jshepherd, jwboyer, jweiser, jwest, kir, kolyshkin, lsm5, mbenatto, mfojtik, mpatel, nstielau, o.lemasle, pbrookes, pehunt, petr, rh.container.bot, rphillips, santiago, security-response-team, sfowler, sponnaga, stcannon, sttts, thee, TicoTimo, tsweeney, xxia |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | runc 1.0.0-rc95 | Doc Type: | If docs needed, set a value |
Doc Text: |
The runc package is vulnerable to a symlink exchange attack whereby an attacker can request a seemingly innocuous container configuration that results in the host filesystem being bind-mounted into the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-05-24 17:32:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1956188, 1956189, 1959881, 1959882, 1954940, 1955286, 1955287, 1955288, 1955636, 1955637, 1955638, 1955639, 1955640, 1955641, 1955642, 1955643, 1955644, 1955645, 1955646, 1955647, 1955648, 1955649, 1955650, 1955651, 1955652, 1955653, 1955654, 1955655, 1955656, 1959370, 1959474, 1959475, 1962096 | ||
Bug Blocks: | 1954737 | ||
Attachments: |
Description
Guilherme de Almeida Suckevicz
2021-04-28 17:36:55 UTC
Acknowledgments: Name: Etienne Champetier Statement: OpenShift Container Platform OCP 3.11 be default uses Docker from RHEL-7 extras repository. If using OCP 3.11 upgrade docker on all nodes to a fixed version from the RHEL-7 extras channel. CRI-O could be used instead of Docker on OCP 3.11 and in that case upgrade the runc version from the OCP rpm repository when it becomes available. Created attachment 1782007 [details]
Full patch set from Aleksa - patches work for rc93.
Mitigation: On OpenShift Container Platform keep SELinux in enforcing mode on the worker nodes to reduce the impact of this vulnerability. Hi Kir, seems the attached "Backport to upstream runc-1.0.0-rc10/rc90" doesn't apply against extras-rhel-7.9's runc-1.0.0-68.rc10: + /usr/bin/cat /tmp/rh/runc/extras-rhel-7.9/0001-rootfs-add-mount-destination-validation.patch + /usr/bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch 6 out of 9 hunks FAILED -- saving rejects to file libcontainer/rootfs_linux.go.rej 1 out of 2 hunks FAILED -- saving rejects to file libcontainer/utils/utils.go.rej Can you please fix the patch for runc-1.0.0-68.rc10? Thanks! Created attachment 1784640 [details]
Backport to projectatomic/runc docker-1.13.1-rhel branch (fixed)
v2: fixed to import Sirupsen/logrus rather than sirupsen/logrus
> cannot find package "github.com/sirupsen/logrus" in any of: [...]
My bad. Patch updated.
Created runc tracking bugs for this issue: Affects: fedora-all [bug 1962096] Upstream commit: https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f > it seems backports are still needed for rc5 and mainly for rc92 where patches for rc10/rc93 doesn't apply. Do you mind having a look Kir?
still working on it...
For Red Hat OpenStack Platform, RHEL's packaged runc is used for containerized services via docker and podman. Note: OpenStack doesn't directly package runc. However, the impact of this flaw is reduced for OpenStack because: * SELinux policies are preconfigured and SELinux is enabled by default. * Containers that run in an OpenStack environment are trusted services. Introducing a malicious access point would take significant effort and be easy to remediate once discovered. Created attachment 1785360 [details]
Backport to upstream runc-1.0.0-rc5
This is a manual backport to runc v1.0.0-rc5. Did not do any testing other than making sure it compiles.
Created attachment 1785365 [details]
Backport to upstream runc-1.0.0-rc92
Manual backport to rc92. Only testing done is to make sure it compiles.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1562 https://access.redhat.com/errata/RHSA-2021:1562 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-30465 Hi Kir, the rc92 patch applies cleanly - packages are now built with that patch. Thanks! There is an issue with rc5 patch: + /usr/bin/cat /tmp/rh/runc/stream-container-tools-1.0-rhel-8.5.0/0001-rc5-rootfs-add-mount-destination-validation.patch + /usr/bin/git apply --index --reject - Checking patch libcontainer/rootfs_linux.go... Hunk #4 succeeded at 183 (offset 20 lines). error: while searching for: } return nil case "tmpfs": copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP tmpDir := "" stat, err := os.Stat(dest) if err != nil { if err := os.MkdirAll(dest, 0755); err != nil { return err } } if copyUp { tmpDir, err = ioutil.TempDir("/tmp", "runctmpdir") if err != nil { return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir") } defer os.RemoveAll(tmpDir) m.Destination = tmpDir } if err := mountPropagate(m, rootfs, mountLabel); err != nil { return err } if copyUp { if err := fileutils.CopyDirectory(dest, tmpDir); err != nil { errMsg := fmt.Errorf("tmpcopyup: failed to copy %s to %s: %v", dest, tmpDir, err) if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil { return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg) } return errMsg } if err := unix.Mount(tmpDir, dest, "", unix.MS_MOVE, ""); err != nil { errMsg := fmt.Errorf("tmpcopyup: failed to move mount %s to %s: %v", tmpDir, dest, err) if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil { return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg) } return errMsg } } if stat != nil { if err = os.Chmod(dest, stat.Mode()); err != nil { return err error: patch failed: libcontainer/rootfs_linux.go:190 Hunk #6 succeeded at 302 (offset 46 lines). Hunk #7 succeeded at 380 (offset 46 lines). Hunk #8 succeeded at 533 (offset 47 lines). Hunk #9 succeeded at 541 (offset 47 lines). Hunk #10 succeeded at 882 (offset 82 lines). Checking patch libcontainer/utils/utils.go... error: while searching for: "crypto/rand" "encoding/hex" "encoding/json" "io" "os" "path/filepath" "strings" "unsafe" "golang.org/x/sys/unix" ) error: patch failed: libcontainer/utils/utils.go:4 Hunk #2 succeeded at 73 (offset -18 lines). Checking patch libcontainer/utils/utils_test.go... error: while searching for: t.Errorf("expected to receive '/var' and received %s", path) } } error: patch failed: libcontainer/utils/utils_test.go:152 Applying patch libcontainer/rootfs_linux.go with 1 reject... Hunk #1 applied cleanly. Hunk #2 applied cleanly. Hunk #3 applied cleanly. Hunk #4 applied cleanly. Rejected hunk #5. Hunk #6 applied cleanly. Hunk #7 applied cleanly. Hunk #8 applied cleanly. Hunk #9 applied cleanly. Hunk #10 applied cleanly. Applying patch libcontainer/utils/utils.go with 1 reject... Rejected hunk #1. Hunk #2 applied cleanly. Applying patch libcontainer/utils/utils_test.go with 1 reject... Rejected hunk #1. Can you please have a look? runc in 1.0 stream is based on runc-2abd837c8c25b0102ac4ce14f17bc0bc7ddffba7 and there are currently these patches applied on top of it: http://pkgs.devel.redhat.com/cgit/rpms/runc/tree/?h=stream-container-tools-1.0-rhel-8.5.0 Thanks, Jindrich Created attachment 1786656 [details] Backport to rhel8.5 (runc v1.0.0-rc5-133-g2abd837c) The rc5 patch was not applicable to rhel8.5 codebase because it's closer to rc6 in fact: [kir@kir-rhat runc]$ git describe --tags --contains 2abd837c8c25b0102ac4ce14f17bc0bc7ddffba7 v1.0.0-rc6~27 [kir@kir-rhat runc]$ git describe --tags 2abd837c8c25b0102ac4ce14f17bc0bc7ddffba7 v1.0.0-rc5-133-g2abd837c The commit 62a4763a7ab490340eab59a72498c6f4a197bed8 (aka v1.0.0-rc5-133-g2abd837c) made changes to tmpfs copyup, this is why the rc5 was not applicable. Attached is the patch against rhel8.5 codebase as found at http://pkgs.devel.redhat.com/cgit/rpms/runc/tree/?h=stream-container-tools-1.0-rhel-8.5.0 (with all 5 patches from spec pre-applied). Thanks Kir. The patch applies cleanly and is now committed into container-tools-1.0. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:1566 https://access.redhat.com/errata/RHSA-2021:1566 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:2057 https://access.redhat.com/errata/RHSA-2021:2057 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2021:2144 https://access.redhat.com/errata/RHSA-2021:2144 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2021:2145 https://access.redhat.com/errata/RHSA-2021:2145 Created attachment 1789284 [details]
Backport to projectatomic/runc docker-1.13.1-rhel branch (fixed-fixed)
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:2292 https://access.redhat.com/errata/RHSA-2021:2292 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2291 https://access.redhat.com/errata/RHSA-2021:2291 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2021:2150 https://access.redhat.com/errata/RHSA-2021:2150 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2371 https://access.redhat.com/errata/RHSA-2021:2371 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:2370 https://access.redhat.com/errata/RHSA-2021:2370 Container-tools:1.0 for rhel8 is out of support scope already and won't receive these fixes. |