2116927 – (CVE-2022-2739) CVE-2022-2739 podman: Security regression of CVE-2020-14370 due to source code management issue

Bug 2116927 (CVE-2022-2739) - CVE-2022-2739 podman: Security regression of CVE-2020-14370 due to source code management issue

Summary: CVE-2022-2739 podman: Security regression of CVE-2020-14370 due to source cod...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-2739
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2116947
Blocks:	2116894
TreeView+	depends on / blocked

Reported:	2022-08-09 14:47 UTC by Mauro Matteo Cascella
Modified:	2023-09-14 09:51 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	The version of podman as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 advisory included an incorrect version of podman missing the fix for CVE-2020-14370, which was previously fixed via RHSA-2020:5056. This issue could possibly allow an attacker to gain access to sensitive information stored in environment variables.
Clone Of:
Environment:
Last Closed:	2022-09-02 12:25:52 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:6119	0	None	None	None	2022-08-22 09:16:00 UTC

Description Mauro Matteo Cascella 2022-08-09 14:47:17 UTC

The podman packages version podman-1.6.4-32.el7_9 as released for Red Hat Enterprise Linux 7 Extras via RHSA-2022:2190 (https://access.redhat.com/errata/RHSA-2022:2190) included an incorrect version of podman that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2020-14370, that was previously corrected in the podman packages in Red Hat Enterprise Linux 7 Extras via RHSA-2020:5056 (https://access.redhat.com/errata/RHSA-2020:5056). The CVE-2022-2739 was assigned to this security regression and it is specific to the podman packages produced by Red Hat.

The original issue - CVE-2020-14370 - could possibly allow an attacker to gain access to sensitive information stored in environment variables. For more details about the original issue, see:

https://access.redhat.com/security/cve/CVE-2020-14370
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14370

Comment 2 errata-xmlrpc 2022-08-22 09:15:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2022:6119 https://access.redhat.com/errata/RHSA-2022:6119

Comment 3 Product Security DevOps Team 2022-09-02 12:25:50 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2739

Note You need to log in before you can comment on or make changes to this bug.