Anolis OS update for container-tools:2.0 (Anolis OS 8.4) module
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-30465 |
| CWE-ID | CWE-254 |
| Exploitation vector | Local network |
| Public exploit | N/A |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system podman-docker Operating systems & Components / Operating system package or component container-selinux Operating systems & Components / Operating system package or component cockpit-podman Operating systems & Components / Operating system package or component skopeo-tests Operating systems & Components / Operating system package or component skopeo Operating systems & Components / Operating system package or component podman-tests Operating systems & Components / Operating system package or component podman-remote Operating systems & Components / Operating system package or component podman Operating systems & Components / Operating system package or component fuse-overlayfs Operating systems & Components / Operating system package or component containers-common Operating systems & Components / Operating system package or component conmon Operating systems & Components / Operating system package or component buildah-tests Operating systems & Components / Operating system package or component buildah Operating systems & Components / Operating system package or component udica Operating systems & Components / Operating system package or component toolbox Operating systems & Components / Operating system package or component python-podman-api Operating systems & Components / Operating system package or component slirp4netns Operating systems & Components / Operating system package or component runc Operating systems & Components / Operating system package or component python3-criu Operating systems & Components / Operating system package or component criu Operating systems & Components / Operating system package or component crit Operating systems & Components / Operating system package or component containernetworking-plugins Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Security features bypass
EUVDB-ID: #VU53399
Risk: Low
CVSSv4.0: 4.7 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-30465
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the security features bypass issue. A remote authenticated attacker on the local network can perform a symlink exchange attack and host filesystem being bind-mounted into the container.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
podman-docker: before 1.6.4-26
container-selinux: before 2.130.0-1
cockpit-podman: before 11-1
skopeo-tests: before 0.1.41-4
skopeo: before 0.1.41-4
podman-tests: before 1.6.4-26
podman-remote: before 1.6.4-26
podman: before 1.6.4-26
fuse-overlayfs: before 0.7.8-1
containers-common: before 0.1.41-4
conmon: before 2.0.15-1
buildah-tests: before 1.11.6-8
buildah: before 1.11.6-8
udica: before 0.2.1-2
toolbox: before 0.0.7-1
python-podman-api: before 1.2.0-0.2.gitd0a45fe
slirp4netns: before 0.4.2-3.git21fdece
runc: before 1.0.0-65.rc10
python3-criu: before 3.12-9
criu: before 3.12-9
crit: before 3.12-9
containernetworking-plugins: before 0.8.3-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:podman-docker:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:container-selinux:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:cockpit-podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-remote:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:fuse-overlayfs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containers-common:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:conmon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:udica:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:toolbox:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python-podman-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:slirp4netns:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:runc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python3-criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:crit:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containernetworking-plugins:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2021:0045
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
