Bug 2069368 (CVE-2022-24778)
Summary: | CVE-2022-24778 imgcrypt: Unauthorized access to encryted container image on a shared system due to missing check in CheckAuthorization() code path | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | adam.kaplan, agarcial, amuller, anpicker, aos-bugs, bbennett, bmontgom, bthurber, dymurray, eglynn, eparis, erooth, go-sig, gparvin, jburrell, jerzhang, jhadvig, jjoyce, jmatthew, jokerman, jramanat, lhh, maszulik, mburns, mfojtik, njean, nstielau, pahickey, pbhattac, rhos-maint, spandura, spasquie, sponnaga, spower, stcannon, vkumar, whayutin, zebob.m |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | imgcrypt 1.1.4 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the imgcrypt library when checking the keys of an authorized user to access an encrypted image on systems where layers are not available and cannot run on the host architecture. This flaw allows an attacker to run an image without providing the previously decrypted keys.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-06-09 04:51:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2070932, 2069369, 2069502, 2069508, 2069509, 2069510, 2069511, 2069512, 2069513, 2069514, 2069515, 2069516, 2069517, 2069518, 2069519, 2069520, 2069521, 2069522, 2069523, 2069524, 2070933, 2070934, 2070935, 2070937, 2070938, 2070939 | ||
Bug Blocks: | 2069372 |
Description
Pedro Sampaio
2022-03-28 19:23:23 UTC
Created golang-github-containerd-imgcrypt tracking bugs for this issue: Affects: fedora-all [bug 2069369] This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8 Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24778 This issue has been addressed in the following products: RHACS-3.73-RHEL-8 Via RHSA-2022:8827 https://access.redhat.com/errata/RHSA-2022:8827 |