Bug 1666565 (CVE-2018-20699) - CVE-2018-20699 docker: Memory exhaustion via large integer used with --cpuset-mems or --cpuset-cpus
Summary: CVE-2018-20699 docker: Memory exhaustion via large integer used with --cpuset...
Alias: CVE-2018-20699
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1666566 1666567 1666568 1667625 1671333
Blocks: 1666569
TreeView+ depends on / blocked
Reported: 2019-01-16 03:54 UTC by Sam Fowler
Modified: 2021-02-16 22:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-10 10:45:42 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0487 0 None None None 2019-03-13 01:52:23 UTC

Description Sam Fowler 2019-01-16 03:54:03 UTC
Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. 



Comment 1 Sam Fowler 2019-01-16 03:54:36 UTC
Created docker tracking bugs for this issue:

Affects: epel-6 [bug 1666568]
Affects: fedora-all [bug 1666566]

Created docker:2017.0/docker tracking bugs for this issue:

Affects: fedora-all [bug 1666567]

Comment 4 Riccardo Schirone 2019-01-31 12:25:01 UTC
Function isCpusetListAvailable() in pkg/sysinfo/sysinfo.go uses pkg/parsers/parsers.go:ParseUintList() function to parse the value passed through the --cpuset-mems docker option. ParseUintList() returns a map with each element in the list mapped to true/false. When the list is too big, the daemon tries to allocate such map, using all available memory and causing a crash.

Comment 6 Riccardo Schirone 2019-01-31 12:28:14 UTC
Even though, in general, a user needs to be root or have high privilege to run docker commands, it was considered anyway a security issue as there are docker plugins to enable authentication and allow users to perform a subset of the APIs dockerd provides. This would allow a non-privileged user to crash the dockerd daemon itself.

Comment 7 Riccardo Schirone 2019-01-31 12:31:18 UTC

This issue affects the versions of docker as shipped with Red Hat Enterprise Linux 7, however if docker is accessible only by root or highly privileged users, as it is by default, a low-privileged attacker will not be able to trigger the flaw.

Comment 8 Riccardo Schirone 2019-02-18 08:09:52 UTC
Decreasing Impact to Low because normally Docker is accessible only by root or by high-privileges users.

Comment 9 errata-xmlrpc 2019-03-13 01:52:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:0487 https://access.redhat.com/errata/RHSA-2019:0487

Note You need to log in before you can comment on or make changes to this bug.