Bug 2070368 (CVE-2022-1227)

Summary: CVE-2022-1227 psgo: Privilege escalation in 'podman top'
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acui, aos-bugs, bbaude, bbennett, bdettelb, blaise, bmontgom, bradley.g.smith, container-sig, debarshir, dwalsh, ebakerupw, eparis, jakubr, jburrell, jerzhang, jhrozek, jligon, jnovy, jokerman, lbragsta, lsm5, mheon, mrogers, nstielau, n.yaghoobi.s, patrick, pehunt, pthomas, rh.container.bot, rphillips, ryncsn, santiago, sponnaga, tsweeney, umohnani, vkumar, walters, wenshen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: podman 4.0, psgo 1.7.2 Doc Type: If docs needed, set a value
Doc Text:
A privilege escalation flaw was found in Podman. This flaw allows an attacker to publish a malicious image to a public registry. Once this image is downloaded by a potential victim, the vulnerability is triggered after a user runs the 'podman top' command. This action gives the attacker access to the host filesystem, leading to information disclosure or denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-04 03:33:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2072247, 2072248, 2072249, 2072250, 2072251, 2072252, 2072253, 2072254, 2072255, 2072256, 2072257, 2072258, 2072259, 2072260, 2072261, 2072262, 2072263, 2072264, 2072265, 2072266, 2072267, 2072268, 2072269, 2072270, 2074089, 2074135, 2074136, 2074137, 2074138, 2074139, 2074140, 2074141, 2074142, 2074143, 2074144, 2074145, 2074146, 2074147, 2074148, 2074164, 2074165, 2074725, 2074726, 2074727, 2074728, 2074729, 2074730, 2074731, 2079741, 2082011    
Bug Blocks: 2044679, 2071612    

Description Nick Tait 2022-03-30 23:13:01 UTC 
For containers which utilize user namepsaces, running 'podman top' triggers the nsenter binary inside a container. The root issue is in github.com/containers/psgo. Podman top doesn't join the user namespace of the container. This could enable an attacker to create a malicious nsenter binary which provides erroneous results to podman top, make syscalls, and other operations beyond what is normally allowed for the container.
Comment 2 Nick Tait 2022-04-05 19:44:37 UTC 
Patch: https://github.com/containers/psgo/pull/92
Comment 10 Mauro Matteo Cascella 2022-04-11 16:04:05 UTC 
Upstream podman issue:
https://github.com/containers/podman/issues/10941
Comment 11 Mauro Matteo Cascella 2022-04-11 16:47:32 UTC 
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2074164]


Created podman-tui tracking bugs for this issue:

Affects: fedora-all [bug 2074165]
Comment 12 Nick Tait 2022-04-12 22:35:04 UTC 
Created cri-o:1.17/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074725]


Created cri-o:1.18/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074726]


Created cri-o:1.19/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074727]


Created cri-o:1.20/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074728]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074729]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074730]


Created cri-o:nightly/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2074731]
Comment 18 errata-xmlrpc 2022-05-10 13:18:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1762 https://access.redhat.com/errata/RHSA-2022:1762
Comment 19 errata-xmlrpc 2022-05-10 17:16:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:2143 https://access.redhat.com/errata/RHSA-2022:2143
Comment 20 errata-xmlrpc 2022-05-11 14:49:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2022:2190 https://access.redhat.com/errata/RHSA-2022:2190
Comment 22 errata-xmlrpc 2022-05-18 13:57:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:4651 https://access.redhat.com/errata/RHSA-2022:4651
Comment 23 errata-xmlrpc 2022-05-26 21:31:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2022:2263 https://access.redhat.com/errata/RHSA-2022:2263
Comment 24 errata-xmlrpc 2022-05-31 12:15:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:4816 https://access.redhat.com/errata/RHSA-2022:4816
Comment 26 errata-xmlrpc 2022-07-19 21:05:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5622 https://access.redhat.com/errata/RHSA-2022:5622
Comment 29 Product Security DevOps Team 2022-12-04 03:33:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1227