Anolis OS update for container-tools:2.0 module
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-27649 CVE-2022-27651 |
| CWE-ID | CWE-264 CWE-276 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system podman-docker Operating systems & Components / Operating system package or component runc Operating systems & Components / Operating system package or component podman-tests Operating systems & Components / Operating system package or component podman-remote Operating systems & Components / Operating system package or component podman Operating systems & Components / Operating system package or component buildah-tests Operating systems & Components / Operating system package or component buildah Operating systems & Components / Operating system package or component container-selinux Operating systems & Components / Operating system package or component cockpit-podman Operating systems & Components / Operating system package or component skopeo-tests Operating systems & Components / Operating system package or component skopeo Operating systems & Components / Operating system package or component fuse-overlayfs Operating systems & Components / Operating system package or component containers-common Operating systems & Components / Operating system package or component conmon Operating systems & Components / Operating system package or component udica Operating systems & Components / Operating system package or component toolbox Operating systems & Components / Operating system package or component python-podman-api Operating systems & Components / Operating system package or component slirp4netns Operating systems & Components / Operating system package or component python3-criu Operating systems & Components / Operating system package or component criu Operating systems & Components / Operating system package or component crit Operating systems & Components / Operating system package or component containernetworking-plugins Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU61829
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-27649
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to excess inheritable capabilities set, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
podman-docker: before 1.6.4-28
runc: before 1.0.0-66.rc10
podman-tests: before 1.6.4-28
podman-remote: before 1.6.4-28
podman: before 1.6.4-28
buildah-tests: before 1.11.6-10
buildah: before 1.11.6-10
container-selinux: before 2.130.0-1
cockpit-podman: before 11-1
skopeo-tests: before 0.1.41-4
skopeo: before 0.1.41-4
fuse-overlayfs: before 0.7.8-1
containers-common: before 0.1.41-4
conmon: before 2.0.15-1
udica: before 0.2.1-2
toolbox: before 0.0.7-1
python-podman-api: before 1.2.0-0.2.gitd0a45fe
slirp4netns: before 0.4.2-3.git21fdece
python3-criu: before 3.12-9
criu: before 3.12-9
crit: before 3.12-9
containernetworking-plugins: before 0.8.3-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:podman-docker:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:runc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-remote:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:container-selinux:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:cockpit-podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:fuse-overlayfs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containers-common:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:conmon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:udica:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:toolbox:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python-podman-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:slirp4netns:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python3-criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:crit:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containernetworking-plugins:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2022:0116
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Incorrect default permissions
EUVDB-ID: #VU61797
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-27651
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files and folders that are set by the application. A remote attacker can view contents of files and directories or modify them.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
podman-docker: before 1.6.4-28
runc: before 1.0.0-66.rc10
podman-tests: before 1.6.4-28
podman-remote: before 1.6.4-28
podman: before 1.6.4-28
buildah-tests: before 1.11.6-10
buildah: before 1.11.6-10
container-selinux: before 2.130.0-1
cockpit-podman: before 11-1
skopeo-tests: before 0.1.41-4
skopeo: before 0.1.41-4
fuse-overlayfs: before 0.7.8-1
containers-common: before 0.1.41-4
conmon: before 2.0.15-1
udica: before 0.2.1-2
toolbox: before 0.0.7-1
python-podman-api: before 1.2.0-0.2.gitd0a45fe
slirp4netns: before 0.4.2-3.git21fdece
python3-criu: before 3.12-9
criu: before 3.12-9
crit: before 3.12-9
containernetworking-plugins: before 0.8.3-4
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:podman-docker:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:runc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-remote:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:container-selinux:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:cockpit-podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:fuse-overlayfs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containers-common:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:conmon:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:udica:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:toolbox:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python-podman-api:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:slirp4netns:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python3-criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:crit:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containernetworking-plugins:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2022:0116
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
