Anolis OS update for container-tools:an8 module
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2024-9341 CVE-2024-9407 CVE-2024-9675 |
| CWE-ID | CWE-20 CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Anolis OS Operating systems & Components / Operating system python3-podman Operating systems & Components / Operating system package or component podman-docker Operating systems & Components / Operating system package or component skopeo-tests Operating systems & Components / Operating system package or component skopeo Operating systems & Components / Operating system package or component runc Operating systems & Components / Operating system package or component podman-tests Operating systems & Components / Operating system package or component podman-remote Operating systems & Components / Operating system package or component podman-plugins Operating systems & Components / Operating system package or component podman-gvproxy Operating systems & Components / Operating system package or component podman-catatonit Operating systems & Components / Operating system package or component podman Operating systems & Components / Operating system package or component containers-common Operating systems & Components / Operating system package or component containernetworking-plugins Operating systems & Components / Operating system package or component buildah-tests Operating systems & Components / Operating system package or component buildah Operating systems & Components / Operating system package or component aardvark-dns Operating systems & Components / Operating system package or component udica Operating systems & Components / Operating system package or component container-selinux Operating systems & Components / Operating system package or component cockpit-podman Operating systems & Components / Operating system package or component toolbox-tests Operating systems & Components / Operating system package or component toolbox Operating systems & Components / Operating system package or component slirp4netns Operating systems & Components / Operating system package or component python3-criu Operating systems & Components / Operating system package or component oci-seccomp-bpf-hook Operating systems & Components / Operating system package or component netavark Operating systems & Components / Operating system package or component libslirp-devel Operating systems & Components / Operating system package or component libslirp Operating systems & Components / Operating system package or component fuse-overlayfs Operating systems & Components / Operating system package or component crun Operating systems & Components / Operating system package or component criu-libs Operating systems & Components / Operating system package or component criu-devel Operating systems & Components / Operating system package or component criu Operating systems & Components / Operating system package or component crit Operating systems & Components / Operating system package or component conmon Operating systems & Components / Operating system package or component |
| Vendor | OpenAnolis |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU98141
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-9341
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input. When FIPS mode is enabled on a system, container runtimes may incorrectly handle certain file paths due to improper validation in the containers/common Go library. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
python3-podman: before 4.9.0-2
podman-docker: before 4.9.4-15.0.1
skopeo-tests: before 1.14.5-3.0.1
skopeo: before 1.14.5-3.0.1
runc: before 1.1.12-5.0.1
podman-tests: before 4.9.4-15.0.1
podman-remote: before 4.9.4-15.0.1
podman-plugins: before 4.9.4-15.0.1
podman-gvproxy: before 4.9.4-15.0.1
podman-catatonit: before 4.9.4-15.0.1
podman: before 4.9.4-15.0.1
containers-common: before 1-82.0.1
containernetworking-plugins: before 1.4.0-5.0.1
buildah-tests: before 1.33.10-1
buildah: before 1.33.10-1
aardvark-dns: before 1.10.1-2.0.1
udica: before 0.2.6-21
container-selinux: before 2.229.0-2
cockpit-podman: before 84.1-1
toolbox-tests: before 0.0.99.5-2.0.1
toolbox: before 0.0.99.5-2.0.1
slirp4netns: before 1.2.3-1
python3-criu: before 3.18-5.0.1
oci-seccomp-bpf-hook: before 1.2.10-1
netavark: before 1.10.3-1.0.1
libslirp-devel: before 4.4.0-2
libslirp: before 4.4.0-2
fuse-overlayfs: before 1.13-1.0.1
crun: before 1.14.3-2
criu-libs: before 3.18-5.0.1
criu-devel: before 3.18-5.0.1
criu: before 3.18-5.0.1
crit: before 3.18-5.0.1
conmon: before 2.1.10-1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:python3-podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-docker:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:runc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-remote:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-plugins:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-gvproxy:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-catatonit:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containers-common:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containernetworking-plugins:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:aardvark-dns:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:udica:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:container-selinux:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:cockpit-podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:toolbox-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:toolbox:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:slirp4netns:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python3-criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:oci-seccomp-bpf-hook:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:netavark:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libslirp-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libslirp:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:fuse-overlayfs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:crun:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu-libs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:crit:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:conmon:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:1036
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU98140
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-9407
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
A vulnerability exists in the bind-propagation option of the Dockerfile RUN --mount instruction. The system does not properly validate the input passed to this option, allowing users to pass arbitrary parameters to the mount instruction. This issue can be exploited to mount sensitive directories from the host into a container during the build process and, in some cases, modify the contents of those mounted files.
Even if SELinux is used, this vulnerability can bypass its protection by allowing the source directory to be relabeled to give the container access to host files.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
python3-podman: before 4.9.0-2
podman-docker: before 4.9.4-15.0.1
skopeo-tests: before 1.14.5-3.0.1
skopeo: before 1.14.5-3.0.1
runc: before 1.1.12-5.0.1
podman-tests: before 4.9.4-15.0.1
podman-remote: before 4.9.4-15.0.1
podman-plugins: before 4.9.4-15.0.1
podman-gvproxy: before 4.9.4-15.0.1
podman-catatonit: before 4.9.4-15.0.1
podman: before 4.9.4-15.0.1
containers-common: before 1-82.0.1
containernetworking-plugins: before 1.4.0-5.0.1
buildah-tests: before 1.33.10-1
buildah: before 1.33.10-1
aardvark-dns: before 1.10.1-2.0.1
udica: before 0.2.6-21
container-selinux: before 2.229.0-2
cockpit-podman: before 84.1-1
toolbox-tests: before 0.0.99.5-2.0.1
toolbox: before 0.0.99.5-2.0.1
slirp4netns: before 1.2.3-1
python3-criu: before 3.18-5.0.1
oci-seccomp-bpf-hook: before 1.2.10-1
netavark: before 1.10.3-1.0.1
libslirp-devel: before 4.4.0-2
libslirp: before 4.4.0-2
fuse-overlayfs: before 1.13-1.0.1
crun: before 1.14.3-2
criu-libs: before 3.18-5.0.1
criu-devel: before 3.18-5.0.1
criu: before 3.18-5.0.1
crit: before 3.18-5.0.1
conmon: before 2.1.10-1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:python3-podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-docker:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:runc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-remote:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-plugins:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-gvproxy:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-catatonit:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containers-common:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containernetworking-plugins:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:aardvark-dns:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:udica:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:container-selinux:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:cockpit-podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:toolbox-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:toolbox:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:slirp4netns:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python3-criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:oci-seccomp-bpf-hook:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:netavark:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libslirp-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libslirp:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:fuse-overlayfs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:crun:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu-libs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:crit:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:conmon:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:1036
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Path traversal
EUVDB-ID: #VU98828
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-9675
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to input validation error when processing directory traversal sequences in cache mounts. A local user can execute a 'RUN' instruction in a Container file to mount an arbitrary directory from the host into the container as long as those files can be accessed by the user running Buildah.
MitigationInstall updates from vendor's repository.
Vulnerable software versionsAnolis OS: 8
python3-podman: before 4.9.0-2
podman-docker: before 4.9.4-15.0.1
skopeo-tests: before 1.14.5-3.0.1
skopeo: before 1.14.5-3.0.1
runc: before 1.1.12-5.0.1
podman-tests: before 4.9.4-15.0.1
podman-remote: before 4.9.4-15.0.1
podman-plugins: before 4.9.4-15.0.1
podman-gvproxy: before 4.9.4-15.0.1
podman-catatonit: before 4.9.4-15.0.1
podman: before 4.9.4-15.0.1
containers-common: before 1-82.0.1
containernetworking-plugins: before 1.4.0-5.0.1
buildah-tests: before 1.33.10-1
buildah: before 1.33.10-1
aardvark-dns: before 1.10.1-2.0.1
udica: before 0.2.6-21
container-selinux: before 2.229.0-2
cockpit-podman: before 84.1-1
toolbox-tests: before 0.0.99.5-2.0.1
toolbox: before 0.0.99.5-2.0.1
slirp4netns: before 1.2.3-1
python3-criu: before 3.18-5.0.1
oci-seccomp-bpf-hook: before 1.2.10-1
netavark: before 1.10.3-1.0.1
libslirp-devel: before 4.4.0-2
libslirp: before 4.4.0-2
fuse-overlayfs: before 1.13-1.0.1
crun: before 1.14.3-2
criu-libs: before 3.18-5.0.1
criu-devel: before 3.18-5.0.1
criu: before 3.18-5.0.1
crit: before 3.18-5.0.1
conmon: before 2.1.10-1
CPE2.3- cpe:2.3:o:openanolis:anolis_os:8:*:*:*:*:*:*:*
- cpe:2.3:o:openanolis:python3-podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-docker:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:skopeo:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:runc:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-remote:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-plugins:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-gvproxy:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman-catatonit:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containers-common:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:containernetworking-plugins:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:buildah:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:aardvark-dns:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:udica:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:container-selinux:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:cockpit-podman:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:toolbox-tests:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:toolbox:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:slirp4netns:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:python3-criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:oci-seccomp-bpf-hook:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:netavark:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libslirp-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:libslirp:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:fuse-overlayfs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:crun:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu-libs:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu-devel:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:criu:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:crit:*:*:*:*:*:anolis_os:*:*
- cpe:2.3:o:openanolis:conmon:*:*:*:*:*:anolis_os:*:*
https://anas.openanolis.cn/errata/detail/ANSA-2024:1036
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
