Bug 2141733 - Rook Ceph crashcollector: Container breakout
Summary: Rook Ceph crashcollector: Container breakout
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2141734 2141735
Blocks: 2141732
TreeView+ depends on / blocked
 
Reported: 2022-11-10 16:17 UTC by Sage McTaggart
Modified: 2022-12-08 18:55 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2022-12-08 18:55:24 UTC
Embargoed:


Attachments (Terms of Use)

Description Sage McTaggart 2022-11-10 16:17:25 UTC
"Container breakout is used to indicate a situation in which a program
running inside a Docker container can overcome isolation mechanisms and
gain additional capabilities or access to confidential information on the
host.
It was observed that the container was running with root user and
CAP_SYS_ADMIN capability.
cgroups (abbreviated from control groups) is a Linux kernel feature that
limits, accounts for, and isolates the resource usage (CPU, memory, disk
I/O, network, etc.) of a collection of processes. Essentially, cgroups are
one way that Docker isolates containers.

They abused the misconfigurations as mentioned above and utilized the
notify_on_release feature in cgroups to escape from the
container. Reference:
https://phoenixnap.com/kb/docker-security-best-practices"

Comment 1 Sage McTaggart 2022-11-10 16:18:12 UTC
Fix Recommendation
To help keep containers secure:
Do not use privileged flag, it disables all the security mechanisms placed by docker.
Do not run containers as the root user.
Use SecComp and AppArmor profiles to harden the container.
Do not mount root volumes into the container

Comment 3 Sage McTaggart 2022-12-08 18:53:52 UTC
This is actually a report of CVE-2022-0492[1][2] as applied to Ceph on Openshift using RHEL as a base platform. As a result of the flaw in RHEL (as used as the base image), a customer's pentest showed this to be affected. However, there is no evidence this is an independent flaw, and thus, there is no additional impact to Confidentiality, Integrity, or Availability, and no security boundaries being crossed. In addition, this requires running as root and CAP_SYS_ADMIN capability, which is not an approved configuration. 

[1] https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/
[2] https://access.redhat.com/security/cve/cve-2022-0492


Note You need to log in before you can comment on or make changes to this bug.