CVE-2023-25809 – github.com/opencontainers/runc

Package

Manager: go
Name: github.com/opencontainers/runc
Vulnerable Version: >=0 <1.1.5

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

EPSS: 0.0003 pctl0.07027

Details

rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc ### Impact It was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) 2. or, when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare) A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. ### Patches v1.1.5 (planned) ### Workarounds - Condition 1: Unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. - Condition 2 (very rare): add `/sys/fs/cgroup` to `maskedPaths`

Metadata

Created: 2023-03-30T20:17:24Z
Modified: 2023-03-30T20:17:24Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-m8cg-xc2p-r3fc/GHSA-m8cg-xc2p-r3fc.json
CWE IDs: ["CWE-281"]
Alternative ID: GHSA-m8cg-xc2p-r3fc
Finding: F159
Auto approve: 1