Bug 2182883 (CVE-2023-28642)

Summary:	CVE-2023-28642 runc: AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration
Product:	[Other] Security Response	Reporter:	Pedro Sampaio <psampaio>
Component:	vulnerability	Assignee:	Nobody <nobody>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	dfreiber, jburrell, jnovy, joelsmith, lsm5, mpatel, rogbas, tsweeney, vkumar
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	runc 1.1.5	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2183099, 2183102, 2183103, 2183100, 2183101, 2192149
Bug Blocks:	2182885

Description Pedro Sampaio 2023-03-29 21:10:36 UTC

runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration.

References:

https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c
https://github.com/opencontainers/runc/pull/3785

Comment 2 Michael Kaplan 2023-04-29 22:48:45 UTC

Created runc tracking bugs for this issue:

Affects: fedora-all [bug 2192149]

Comment 4 errata-xmlrpc 2023-05-17 22:31:48 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326