Fluid Attacks Database

Description

runc AppArmor bypass with symlinked /proc

Impact

It was found that AppArmor, and potentially SELinux, can be bypassed when /proc inside the container is symlinked with a specific mount configuration.

Patches

Fixed in runc v1.1.5, by prohibiting symlinked /proc: https://github.com/opencontainers/runc/pull/3785

This PR fixes CVE-2023-27561 as well.

Workarounds

Avoid using an untrusted container image.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/opencontainers/runc	>=0 <1.1.5	1.1.5
go	github.com/opencontainers/runc/libcontainer	>=0 <1.1.5	v1.1.5
debian 11	runc	=1.0.0~rc93+ds1-5 \|\| =1.0.0~rc93+ds1-5+deb11u1 \|\| =1.0.0~rc93+ds1-5+deb11u2 \|\| =1.0.0~rc93+ds1-5+deb11u3 \|\| =1.0.0~rc93+ds1-5+deb11u4 \|\| >=0 <1.0.0~rc93+ds1-5+deb11u5	1.0.0~rc93+ds1-5+deb11u5
debian 12	runc	>=0 <1.1.5+ds1-1	1.1.5+ds1-1
debian 13	runc	>=0 <1.1.5+ds1-1	1.1.5+ds1-1
debian 14	runc	>=0 <1.1.5+ds1-1	1.1.5+ds1-1
rpm rhel7	runc	-	-
rpm rhel8	runc	-	-
rpm rhel9	runc	<4:1.1.9-1.el9	4:1.1.9-1.el9

Aliases

1. CVE-2023-286422. NVD-2023-286423. OSV-2023-286424. OSV-DEBIAN-2023-286425. GHSA-g2j6-57v7-gm8c6. GCVE-2023-286427. GHSA-g2j6-57v7-gm8c8. SECURITY-TRACKER-CVE-2023-28642

References

1. https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c2. https://github.com/opencontainers/runc/pull/37853. https://security.netapp.com/advisory/ntap-20241206-0005

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.