SUSE update for containerd, docker and runc

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU63090

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-29162

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to containers are incorrectly started with non-empty inheritable Linux process capabilities, which leads to security restrictions bypass and privilege escalation.

Mitigation

Update the affected package containerd, docker and runc to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Containers: 15-SP3 - 15-SP4

SUSE Enterprise Storage: 6 - 7.1

SUSE Manager Retail Branch Server: 4.1 - 4.3

SUSE Linux Enterprise Storage: 7.1

SUSE Manager Server: 4.1 - 4.3

SUSE Manager Proxy: 4.1 - 4.3

SUSE Linux Enterprise Micro: 5.1 - 5.2

SUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP2

SUSE Linux Enterprise Server: 15-LTSS - 15-SP4

SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-SP4

SUSE CaaS Platform: 4.0

openSUSE Leap: 15.3 - 15.4

SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4

SUSE Linux Enterprise Module for Packagehub Subpackages: 15-SP3

docker-zsh-completion: before 20.10.17_ce-150000.166.1

docker-kubic-zsh-completion: before 20.10.17_ce-150000.166.1

docker-kubic-fish-completion: before 20.10.17_ce-150000.166.1

docker-kubic-bash-completion: before 20.10.17_ce-150000.166.1

docker-fish-completion: before 20.10.17_ce-150000.166.1

docker-bash-completion: before 20.10.17_ce-150000.166.1

runc-debuginfo: before 1.1.3-150000.30.1

runc: before 1.1.3-150000.30.1

docker-kubic-kubeadm-criconfig: before 20.10.17_ce-150000.166.1

docker-kubic-debuginfo: before 20.10.17_ce-150000.166.1

docker-kubic: before 20.10.17_ce-150000.166.1

docker-debuginfo: before 20.10.17_ce-150000.166.1

docker: before 20.10.17_ce-150000.166.1

containerd-ctr: before 1.6.6-150000.73.2

containerd: before 1.6.6-150000.73.2

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_module_for_containers:15-SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_module_for_containers:15-SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:7:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:7.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_retail_branch_server:4.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_retail_branch_server:4.2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_storage:7.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_server:4.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_proxy:4.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_micro:5.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server:15-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_caas_platform:4.0:*:*:*:*:*:*:*
• cpe:2.3:o:suse:opensuse_leap:15.3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:15-SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_module_for_packagehub_subpackages:15-SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:docker-zsh-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic-zsh-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic-fish-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic-bash-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-fish-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-bash-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:runc-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:runc:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic-kubeadm-criconfig:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:containerd-ctr:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:containerd:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2022/suse-su-20222341-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Resource exhaustion

EUVDB-ID: #VU64007

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-31030

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the ExecSync API. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected package containerd, docker and runc to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Containers: 15-SP3 - 15-SP4

SUSE Enterprise Storage: 6 - 7.1

SUSE Manager Retail Branch Server: 4.1 - 4.3

SUSE Linux Enterprise Storage: 7.1

SUSE Manager Server: 4.1 - 4.3

SUSE Manager Proxy: 4.1 - 4.3

SUSE Linux Enterprise Micro: 5.1 - 5.2

SUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP2

SUSE Linux Enterprise Server: 15-LTSS - 15-SP4

SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-SP4

SUSE CaaS Platform: 4.0

openSUSE Leap: 15.3 - 15.4

SUSE Linux Enterprise Server for SAP Applications: 15-SP3 - 15-SP4

SUSE Linux Enterprise Module for Packagehub Subpackages: 15-SP3

docker-zsh-completion: before 20.10.17_ce-150000.166.1

docker-kubic-zsh-completion: before 20.10.17_ce-150000.166.1

docker-kubic-fish-completion: before 20.10.17_ce-150000.166.1

docker-kubic-bash-completion: before 20.10.17_ce-150000.166.1

docker-fish-completion: before 20.10.17_ce-150000.166.1

docker-bash-completion: before 20.10.17_ce-150000.166.1

runc-debuginfo: before 1.1.3-150000.30.1

runc: before 1.1.3-150000.30.1

docker-kubic-kubeadm-criconfig: before 20.10.17_ce-150000.166.1

docker-kubic-debuginfo: before 20.10.17_ce-150000.166.1

docker-kubic: before 20.10.17_ce-150000.166.1

docker-debuginfo: before 20.10.17_ce-150000.166.1

docker: before 20.10.17_ce-150000.166.1

containerd-ctr: before 1.6.6-150000.73.2

containerd: before 1.6.6-150000.73.2

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_module_for_containers:15-SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_module_for_containers:15-SP4:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:6:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:7:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_enterprise_storage:7.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_retail_branch_server:4.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_retail_branch_server:4.2:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_retail_branch_server:4.3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_storage:7.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_server:4.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_manager_proxy:4.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_micro:5.1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap:15-SP1:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server:15-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_high_performance_computing:15-LTSS:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_caas_platform:4.0:*:*:*:*:*:*:*
• cpe:2.3:o:suse:opensuse_leap:15.3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications:15-SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_module_for_packagehub_subpackages:15-SP3:*:*:*:*:*:*:*
• cpe:2.3:o:suse:docker-zsh-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic-zsh-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic-fish-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic-bash-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-fish-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-bash-completion:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:runc-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:runc:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic-kubeadm-criconfig:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-kubic:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:docker:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:containerd-ctr:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:o:suse:containerd:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2022/suse-su-20222341-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.