Bug 2026675 (CVE-2021-4024)
| Summary: | CVE-2021-4024 podman: podman machine spawns gvproxy with port bound to all IPs | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acui, bbaude, bmontgom, container-sig, debarshir, dwalsh, eparis, jburrell, jligon, jnovy, lsm5, mheon, nstielau, patrick, pehunt, pthomas, rh.container.bot, santiago, sponnaga, tsweeney, umohnani, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | podman 3.4.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-12-06 00:33:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2026676, 2029450, 2029451, 2029452 | ||
| Bug Blocks: | 2026677, 2026929 | ||
|
Description
Pedro Sampaio
2021-11-25 13:35:46 UTC
Created podman tracking bugs for this issue: Affects: fedora-all [bug 2026676] Issue also mentioned in the Internet. References: https://twitter.com/discordianfish/status/1463462371675066371 This vulnerability is impacting Podman version >=3.3.0 and >=3.4.0 The port forwarding and gvproxy support was introduced by this PR: https://github.com/containers/podman/commit/7ef3981abe2412727840a2886489a08c03a05299 Fix is already merged in the main Podman branch: https://github.com/containers/podman/pull/12283 But new version is not released yet. @mheon Looks like another candidate for Podman v3.4.3 Podman v3.4.3 contains the fix for this CVE: https://github.com/containers/podman/releases/tag/v3.4.3 FEDORA-2021-6bc3fe7129 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-6bd024d2a7 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:7954 https://access.redhat.com/errata/RHSA-2022:7954 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-4024 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:10289 https://access.redhat.com/errata/RHSA-2024:10289 |