A flaw was discovered in Podman before upstream version 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first containers will get leaked into subsequent containers. An attacker who has control over those subsequent containers may get access to secrets shared with previous containers through environment variables.
The flaw lies in pkg/spec/spec.go:createConfigToOCISpec() function, where the variable DefaultEnvVariables of the env package is used and modified without making a copy of it. Thus when creating multiple containers in such a way that createConfigToOCISpec() is used, variables defined for previously created containers are leaked to newer containers. Function createConfigToOCISpec() is used by varlink API or by the REST API, in particular the Docker-compatible API.
Upstream patch: https://github.com/containers/podman/commit/a7e864e6e7de894d4edde4fff00e53dc6a0b5074
To actually get access to possible secrets passed through environment variables, an attacker would require access to containers in the infrastructure, created in such a way to trigger this flaw.
By default, in Red Hat Enterprise Linux 8 when using the podman socket/service through systemd, the varlink session automatically expires after 60 seconds, so to leak environment variables from one container to another they have to be created in a short time.
Created podman tracking bugs for this issue: Affects: fedora-all [bug 1881345]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4297 https://access.redhat.com/errata/RHSA-2020:4297
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14370
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:5056 https://access.redhat.com/errata/RHSA-2020:5056
Statement: Whilst OpenShift Container Platform (OCP) does include podman, the Varlink API is not enabled by default. However, as it is trivial to activate this feature, OCP has been marked as affected. OCP 3.11 has previously packaged podman, but instead now relies on the version from rhel-extra.The older version previously packaged is not vulnerable to this CVE and hence has been marked not affected.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:0531 https://access.redhat.com/errata/RHSA-2021:0531