Fedora Account System
Red Hat Associate
Red Hat Customer
"Container breakout is used to indicate a situation in which a program running inside a Docker container can overcome isolation mechanisms and gain additional capabilities or access to confidential information on the host. It was observed that the container was running with root user and CAP_SYS_ADMIN capability. cgroups (abbreviated from control groups) is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. Essentially, cgroups are one way that Docker isolates containers. They abused the misconfigurations as mentioned above and utilized the notify_on_release feature in cgroups to escape from the container. Reference: https://phoenixnap.com/kb/docker-security-best-practices"
Fix Recommendation To help keep containers secure: Do not use privileged flag, it disables all the security mechanisms placed by docker. Do not run containers as the root user. Use SecComp and AppArmor profiles to harden the container. Do not mount root volumes into the container
This is actually a report of CVE-2022-0492[1][2] as applied to Ceph on Openshift using RHEL as a base platform. As a result of the flaw in RHEL (as used as the base image), a customer's pentest showed this to be affected. However, there is no evidence this is an independent flaw, and thus, there is no additional impact to Confidentiality, Integrity, or Availability, and no security boundaries being crossed. In addition, this requires running as root and CAP_SYS_ADMIN capability, which is not an approved configuration. [1] https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/ [2] https://access.redhat.com/security/cve/cve-2022-0492