Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-21284 (GCVE-0-2021-21284)
Vulnerability from cvelistv5 – Published: 2021-02-02 17:55 – Updated: 2024-08-03 18:09
VLAI
EPSS
Title
privilege escalation in Moby
Summary
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.
Severity
6.8 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
8 references
| URL | Tags |
|---|---|
| https://docs.docker.com/engine/release-notes/#20103 | x_refsource_MISC |
| https://github.com/moby/moby/releases/tag/v20.10.3 | x_refsource_MISC |
| https://github.com/moby/moby/releases/tag/v19.03.15 | x_refsource_MISC |
| https://github.com/moby/moby/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/moby/moby/commit/64bd4485b3a66… | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2021022… | x_refsource_CONFIRM |
| https://www.debian.org/security/2021/dsa-4865 | vendor-advisoryx_refsource_DEBIAN |
| https://security.gentoo.org/glsa/202107-23 | vendor-advisoryx_refsource_GENTOO |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:15.042Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.docker.com/engine/release-notes/#20103"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/releases/tag/v20.10.3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/releases/tag/v19.03.15"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
},
{
"name": "DSA-4865",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4865"
},
{
"name": "GLSA-202107-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202107-23"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "moby",
"vendor": "moby",
"versions": [
{
"status": "affected",
"version": "\u003c 19.03.15"
},
{
"status": "affected",
"version": "\u003e= 20.0.0, \u003c 20.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-07-10T04:06:25.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.docker.com/engine/release-notes/#20103"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/releases/tag/v20.10.3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/releases/tag/v19.03.15"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
},
{
"name": "DSA-4865",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4865"
},
{
"name": "GLSA-202107-23",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202107-23"
}
],
"source": {
"advisory": "GHSA-7452-xqpj-6rpc",
"discovery": "UNKNOWN"
},
"title": "privilege escalation in Moby",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21284",
"STATE": "PUBLIC",
"TITLE": "privilege escalation in Moby"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "moby",
"version": {
"version_data": [
{
"version_value": "\u003c 19.03.15"
},
{
"version_value": "\u003e= 20.0.0, \u003c 20.10.3"
}
]
}
}
]
},
"vendor_name": "moby"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.docker.com/engine/release-notes/#20103",
"refsource": "MISC",
"url": "https://docs.docker.com/engine/release-notes/#20103"
},
{
"name": "https://github.com/moby/moby/releases/tag/v20.10.3",
"refsource": "MISC",
"url": "https://github.com/moby/moby/releases/tag/v20.10.3"
},
{
"name": "https://github.com/moby/moby/releases/tag/v19.03.15",
"refsource": "MISC",
"url": "https://github.com/moby/moby/releases/tag/v19.03.15"
},
{
"name": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc",
"refsource": "CONFIRM",
"url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
},
{
"name": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c",
"refsource": "MISC",
"url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210226-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
},
{
"name": "DSA-4865",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4865"
},
{
"name": "GLSA-202107-23",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202107-23"
}
]
},
"source": {
"advisory": "GHSA-7452-xqpj-6rpc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21284",
"datePublished": "2021-02-02T17:55:22.000Z",
"dateReserved": "2020-12-22T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:09:15.042Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-21284",
"date": "2026-05-31",
"epss": "0.0002",
"percentile": "0.05962"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-21284\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-02-02T18:15:11.827\",\"lastModified\":\"2024-11-21T05:47:55.867\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \\\"--userns-remap\\\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \\\"/var/lib/docker/\u003cremapping\u003e\\\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.\"},{\"lang\":\"es\",\"value\":\"En Docker versiones anteriores a 9.03.15, 20.10.3, se presenta una vulnerabilidad que involucra la opci\u00f3n --userns-remap en la que un acceso a una root reasignada permite una escalada de privilegios a la root actual.\u0026#xa0;Cuando se usa \\\"--userns-remap\\\", si el usuario root en el espacio de nombres reasignado tiene acceso al sistema de archivos del host, puede modificar archivos en \\\"/var/lib/docker/(remapping)\\\" que causa la escritura de archivos con privilegios extendidos.\u0026#xa0;Las versiones 20.10.3 y 19.03.15 contienen parches que evitan una escalada de privilegios del usuario reasignado\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":4.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:A/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":2.7,\"accessVector\":\"ADJACENT_NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":5.1,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"19.03.15\",\"matchCriteriaId\":\"C6B22016-AB78-4E82-9F65-AEC2526F3EDF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"20.0.0\",\"versionEndExcluding\":\"20.10.3\",\"matchCriteriaId\":\"B4427D14-D219-490B-8467-40FE253775A1\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0.0\",\"versionEndIncluding\":\"11.60.3\",\"matchCriteriaId\":\"BD1E9594-C46F-40D1-8BC2-6B16635B55C4\"}]}]}],\"references\":[{\"url\":\"https://docs.docker.com/engine/release-notes/#20103\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/releases/tag/v19.03.15\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/releases/tag/v20.10.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202107-23\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210226-0005/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4865\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://docs.docker.com/engine/release-notes/#20103\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/releases/tag/v19.03.15\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/releases/tag/v20.10.3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202107-23\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210226-0005/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4865\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Title
Уязвимость опции --userns-remap средства автоматизации развёртывания и управления приложениями в средах с поддержкой контейнеризации Docker, связанная с некорректным ограничением имени пути к каталогу, позволяющая нарушителю оказать воздействие на целостность данных
Description
Уязвимость опции --userns-remap средства автоматизации развёртывания и управления приложениями в средах с поддержкой контейнеризации Docker связана с некорректным ограничением имени пути к каталогу. Эксплуатация уязвимости позволяет нарушителю, действующему удаленно, оказать воздействие на целостность данных
Severity
Vendor
Сообщество свободного программного обеспечения, Docker Inc., ООО «РусБИТех-Астра», АО "НППКТ", АО «Концерн ВНИИНС»
Software Name
Debian GNU/Linux, Docker, Astra Linux Special Edition (запись в едином реестре российских программ №369), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), ОС ОН «Стрелец» (запись в едином реестре российских программ №6177)
Software Version
10 (Debian GNU/Linux), до 19.03.15 (Docker), от 20.0.0 до 20.10.3 (Docker), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), до 2.1 (ОСОН ОСнова Оnyx), до 16.01.2023 (ОС ОН «Стрелец»)
Possible Mitigations
Использование рекомендаций:
Для Docker:
Обновление программного обеспечения до 20.10.5+dfsg1-1 или более поздней версии
Для Debian:
Обновление программного обеспечения (пакета docker.io) до 18.09.1+dfsg1-7.1+deb10u3 или более поздней версии
Для ОСОН Основа:
Обновление программного обеспечения docker.io до версии 18.09.1+dfsg1-7.1+deb10u3.osnova5
Для ОС Astra Linux Special Edition 1.7:
обновить пакет docker.io до 24.0.2+astra14 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17
Для ОС ОН «Стрелец»:
Обновление программного обеспечения docker.io до версии 18.09.1+dfsg1-7.1+deb10u3.osnova5
Для Astra Linux Special Edition 4.7:
обновить пакет docker.io до 24.0.2+ci1 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47
Reference
https://docs.docker.com/engine/release-notes/#20103
https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c
https://nvd.nist.gov/vuln/detail/CVE-2021-21284
https://security-tracker.debian.org/tracker/CVE-2021-21284
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.1/
https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17
https://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023
https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47
CWE
CWE-22
{
"CVSS 2.0": "AV:A/AC:L/Au:S/C:N/I:P/A:N",
"CVSS 3.0": "AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Docker Inc., \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "10 (Debian GNU/Linux), \u0434\u043e 19.03.15 (Docker), \u043e\u0442 20.0.0 \u0434\u043e 20.10.3 (Docker), 1.7 (Astra Linux Special Edition), 4.7 (Astra Linux Special Edition), \u0434\u043e 2.1 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 16.01.2023 (\u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Docker:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f \u0434\u043e 20.10.5+dfsg1-1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f Debian:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f (\u043f\u0430\u043a\u0435\u0442\u0430 docker.io) \u0434\u043e 18.09.1+dfsg1-7.1+deb10u3 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0441\u043d\u043e\u0432\u0430:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f docker.io \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 18.09.1+dfsg1-7.1+deb10u3.osnova5\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux Special Edition 1.7:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 docker.io \u0434\u043e 24.0.2+astra14 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17\n\n\u0414\u043b\u044f \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f docker.io \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 18.09.1+dfsg1-7.1+deb10u3.osnova5\n\n\u0414\u043b\u044f Astra Linux Special Edition 4.7:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 docker.io \u0434\u043e 24.0.2+ci1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "22.12.2020",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "27.04.2024",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "06.04.2021",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2021-01893",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2021-21284",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, Docker, Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 4.7 ARM (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb \u0434\u043e 16.01.2023 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u043f\u0446\u0438\u0438 --userns-remap \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u0440\u0430\u0437\u0432\u0451\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u044f \u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 \u0432 \u0441\u0440\u0435\u0434\u0430\u0445 \u0441 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u043e\u0439 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0438\u0437\u0430\u0446\u0438\u0438 Docker, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u044b\u043c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435\u043c \u0438\u043c\u0435\u043d\u0438 \u043f\u0443\u0442\u0438 \u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0445",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0432\u0435\u0440\u043d\u043e\u0435 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435 \u0438\u043c\u0435\u043d\u0438 \u043f\u0443\u0442\u0438 \u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443 \u0441 \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u043e\u043c (\u00ab\u041e\u0431\u0445\u043e\u0434 \u043f\u0443\u0442\u0438\u00bb) (CWE-22)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043e\u043f\u0446\u0438\u0438 --userns-remap \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0430\u0432\u0442\u043e\u043c\u0430\u0442\u0438\u0437\u0430\u0446\u0438\u0438 \u0440\u0430\u0437\u0432\u0451\u0440\u0442\u044b\u0432\u0430\u043d\u0438\u044f \u0438 \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 \u0432 \u0441\u0440\u0435\u0434\u0430\u0445 \u0441 \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u043e\u0439 \u043a\u043e\u043d\u0442\u0435\u0439\u043d\u0435\u0440\u0438\u0437\u0430\u0446\u0438\u0438 Docker \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u044b\u043c \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u0438\u0435\u043c \u0438\u043c\u0435\u043d\u0438 \u043f\u0443\u0442\u0438 \u043a \u043a\u0430\u0442\u0430\u043b\u043e\u0433\u0443. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u0435\u0442 \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043e\u0437\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0445",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://docs.docker.com/engine/release-notes/#20103\nhttps://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-21284\nhttps://security-tracker.debian.org/tracker/CVE-2021-21284\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.1/\nhttps://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-1023SE17\nhttps://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023\nhttps://wiki.astralinux.ru/astra-linux-se47-bulletin-2024-0416SE47",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041f\u041e \u0434\u043b\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0418\u0418",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-22",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041d\u0438\u0437\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 2,7)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,6)"
}
CERTFR-2021-AVI-490
Vulnerability from certfr_avis - Published: 2021-06-29 - Updated: 2021-06-29
De multiples vulnérabilités ont été découvertes dans IBM Spectrum Protect. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Spectrum Protect Plus versions 10.1.x ant\u00e9rieures \u00e0 10.1.8.1",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-27919",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-27919"
},
{
"name": "CVE-2021-21343",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21343"
},
{
"name": "CVE-2021-21348",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21348"
},
{
"name": "CVE-2021-29505",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29505"
},
{
"name": "CVE-2020-26258",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26258"
},
{
"name": "CVE-2021-31525",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31525"
},
{
"name": "CVE-2021-21344",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21344"
},
{
"name": "CVE-2021-33503",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33503"
},
{
"name": "CVE-2020-26259",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26259"
},
{
"name": "CVE-2021-21341",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21341"
},
{
"name": "CVE-2021-21285",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21285"
},
{
"name": "CVE-2021-21362",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21362"
},
{
"name": "CVE-2021-23358",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23358"
},
{
"name": "CVE-2020-14147",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14147"
},
{
"name": "CVE-2021-21347",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21347"
},
{
"name": "CVE-2020-26217",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-26217"
},
{
"name": "CVE-2021-21346",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21346"
},
{
"name": "CVE-2021-29921",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29921"
},
{
"name": "CVE-2020-28476",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-28476"
},
{
"name": "CVE-2020-7929",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7929"
},
{
"name": "CVE-2021-21351",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21351"
},
{
"name": "CVE-2021-21345",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21345"
},
{
"name": "CVE-2021-22884",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22884"
},
{
"name": "CVE-2021-3177",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3177"
},
{
"name": "CVE-2021-22883",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22883"
},
{
"name": "CVE-2021-28363",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28363"
},
{
"name": "CVE-2021-21349",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21349"
},
{
"name": "CVE-2021-21342",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21342"
},
{
"name": "CVE-2021-21350",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21350"
},
{
"name": "CVE-2021-21284",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21284"
}
],
"initial_release_date": "2021-06-29T00:00:00",
"last_revision_date": "2021-06-29T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-490",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-06-29T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Spectrum\nProtect. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Spectrum Protect",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6466435 du 28 juin 2021",
"url": "https://www.ibm.com/support/pages/node/6466435"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6467281 du 28 juin 2021",
"url": "https://www.ibm.com/support/pages/node/6467281"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6466599 du 28 juin 2021",
"url": "https://www.ibm.com/support/pages/node/6466599"
}
]
}
CERTFR-2021-AVI-700
Vulnerability from certfr_avis - Published: 2021-09-14 - Updated: 2021-09-14
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Security Guardium version 11.2 sans le dernier correctif",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Security Guardium version 11.3 sans le dernier correctif",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-12749",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12749"
},
{
"name": "CVE-2020-24606",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24606"
},
{
"name": "CVE-2019-14866",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14866"
},
{
"name": "CVE-2021-20428",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20428"
},
{
"name": "CVE-2019-5094",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5094"
},
{
"name": "CVE-2020-8450",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8450"
},
{
"name": "CVE-2019-19956",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-19956"
},
{
"name": "CVE-2021-21285",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21285"
},
{
"name": "CVE-2020-8177",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8177"
},
{
"name": "CVE-2020-15049",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15049"
},
{
"name": "CVE-2019-12450",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12450"
},
{
"name": "CVE-2020-10754",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10754"
},
{
"name": "CVE-2020-13401",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13401"
},
{
"name": "CVE-2019-20388",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20388"
},
{
"name": "CVE-2019-14822",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14822"
},
{
"name": "CVE-2019-10785",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10785"
},
{
"name": "CVE-2021-20385",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20385"
},
{
"name": "CVE-2020-7595",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7595"
},
{
"name": "CVE-2020-5259",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-5259"
},
{
"name": "CVE-2019-11719",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11719"
},
{
"name": "CVE-2019-12528",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12528"
},
{
"name": "CVE-2021-3156",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3156"
},
{
"name": "CVE-2020-15810",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15810"
},
{
"name": "CVE-2020-15811",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15811"
},
{
"name": "CVE-2020-8449",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8449"
},
{
"name": "CVE-2021-20426",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20426"
},
{
"name": "CVE-2020-12825",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12825"
},
{
"name": "CVE-2021-20419",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20419"
},
{
"name": "CVE-2019-5482",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5482"
},
{
"name": "CVE-2019-5188",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5188"
},
{
"name": "CVE-2021-20389",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20389"
},
{
"name": "CVE-2021-20386",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20386"
},
{
"name": "CVE-2020-12049",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-12049"
},
{
"name": "CVE-2020-5258",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-5258"
},
{
"name": "CVE-2021-21284",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21284"
}
],
"initial_release_date": "2021-09-14T00:00:00",
"last_revision_date": "2021-09-14T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-700",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-09-14T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6455281 du 13 septembre 2021",
"url": "https://www.ibm.com/support/pages/node/6455281"
}
]
}
Title
Docker路径遍历漏洞
Description
Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。
Docker before versions 9.03.15, 20.10.3存在安全漏洞,该漏洞源于被映射的命名空间中的根用户可以访问主机文件系统。目前没有详细漏洞细节提供。
Severity
低
Patch Name
Docker路径遍历漏洞的补丁
Patch Description
Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。
Docker before versions 9.03.15, 20.10.3存在安全漏洞,该漏洞源于被映射的命名空间中的根用户可以访问主机文件系统。目前没有详细漏洞细节提供。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c
Reference
https://nvd.nist.gov/vuln/detail/CVE-2021-21284
Impacted products
| Name | ['Docker Docker <9.03.15', 'Docker Docker <20.10.3'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2021-21284",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-21284"
}
},
"description": "Docker\u662f\u7f8e\u56fdDocker\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5e94\u7528\u5bb9\u5668\u5f15\u64ce\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u5728Linux\u7cfb\u7edf\u4e0a\u521b\u5efa\u4e00\u4e2a\u5bb9\u5668\uff08\u8f7b\u91cf\u7ea7\u865a\u62df\u673a\uff09\u5e76\u90e8\u7f72\u548c\u8fd0\u884c\u5e94\u7528\u7a0b\u5e8f\uff0c\u4ee5\u53ca\u901a\u8fc7\u914d\u7f6e\u6587\u4ef6\u5b9e\u73b0\u5e94\u7528\u7a0b\u5e8f\u7684\u81ea\u52a8\u5316\u5b89\u88c5\u3001\u90e8\u7f72\u548c\u5347\u7ea7\u3002\n\nDocker before versions 9.03.15, 20.10.3\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u88ab\u6620\u5c04\u7684\u547d\u540d\u7a7a\u95f4\u4e2d\u7684\u6839\u7528\u6237\u53ef\u4ee5\u8bbf\u95ee\u4e3b\u673a\u6587\u4ef6\u7cfb\u7edf\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-14789",
"openTime": "2021-03-07",
"patchDescription": "Docker\u662f\u7f8e\u56fdDocker\u516c\u53f8\u7684\u4e00\u6b3e\u5f00\u6e90\u7684\u5e94\u7528\u5bb9\u5668\u5f15\u64ce\u3002\u8be5\u4ea7\u54c1\u652f\u6301\u5728Linux\u7cfb\u7edf\u4e0a\u521b\u5efa\u4e00\u4e2a\u5bb9\u5668\uff08\u8f7b\u91cf\u7ea7\u865a\u62df\u673a\uff09\u5e76\u90e8\u7f72\u548c\u8fd0\u884c\u5e94\u7528\u7a0b\u5e8f\uff0c\u4ee5\u53ca\u901a\u8fc7\u914d\u7f6e\u6587\u4ef6\u5b9e\u73b0\u5e94\u7528\u7a0b\u5e8f\u7684\u81ea\u52a8\u5316\u5b89\u88c5\u3001\u90e8\u7f72\u548c\u5347\u7ea7\u3002\r\n\r\nDocker before versions 9.03.15, 20.10.3\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u88ab\u6620\u5c04\u7684\u547d\u540d\u7a7a\u95f4\u4e2d\u7684\u6839\u7528\u6237\u53ef\u4ee5\u8bbf\u95ee\u4e3b\u673a\u6587\u4ef6\u7cfb\u7edf\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Docker\u8def\u5f84\u904d\u5386\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Docker Docker \u003c9.03.15",
"Docker Docker \u003c20.10.3"
]
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-21284",
"serverity": "\u4f4e",
"submitTime": "2021-02-26",
"title": "Docker\u8def\u5f84\u904d\u5386\u6f0f\u6d1e"
}
FKIE_CVE-2021-21284
Vulnerability from fkie_nvd - Published: 2021-02-02 18:15 - Updated: 2024-11-21 05:47
Severity
6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
Summary
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| docker | docker | * | |
| docker | docker | * | |
| debian | debian_linux | 10.0 | |
| netapp | e-series_santricity_os_controller | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6B22016-AB78-4E82-9F65-AEC2526F3EDF",
"versionEndExcluding": "19.03.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4427D14-D219-490B-8467-40FE253775A1",
"versionEndExcluding": "20.10.3",
"versionStartIncluding": "20.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BD1E9594-C46F-40D1-8BC2-6B16635B55C4",
"versionEndIncluding": "11.60.3",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user."
},
{
"lang": "es",
"value": "En Docker versiones anteriores a 9.03.15, 20.10.3, se presenta una vulnerabilidad que involucra la opci\u00f3n --userns-remap en la que un acceso a una root reasignada permite una escalada de privilegios a la root actual.\u0026#xa0;Cuando se usa \"--userns-remap\", si el usuario root en el espacio de nombres reasignado tiene acceso al sistema de archivos del host, puede modificar archivos en \"/var/lib/docker/(remapping)\" que causa la escritura de archivos con privilegios extendidos.\u0026#xa0;Las versiones 20.10.3 y 19.03.15 contienen parches que evitan una escalada de privilegios del usuario reasignado"
}
],
"id": "CVE-2021-21284",
"lastModified": "2024-11-21T05:47:55.867",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-02T18:15:11.827",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.docker.com/engine/release-notes/#20103"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/releases/tag/v19.03.15"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/releases/tag/v20.10.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202107-23"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4865"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.docker.com/engine/release-notes/#20103"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/releases/tag/v19.03.15"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/releases/tag/v20.10.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202107-23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4865"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-7452-XQPJ-6RPC
Vulnerability from github – Published: 2024-01-31 23:14 – Updated: 2024-06-10 18:39
VLAI
Summary
moby Access to remapped root allows privilege escalation to real root
Details
Impact
When using --userns-remap, if the root user in the remapped namespace has access to the host filesystem they can modify files under /var/lib/docker/<remapping> that cause writing files with extended privileges.
Patches
Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.
Credits
Maintainers would like to thank Alex Chapman for discovering the vulnerability; @awprice, @nathanburrell, @raulgomis, @chris-walz, @erin-jensby, @bassmatt, @mark-adams, @dbaxa for working on it and Zac Ellis for responsibly disclosing it to security@docker.com
Severity
6.8 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/moby/moby"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "19.3.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/moby/moby"
},
"ranges": [
{
"events": [
{
"introduced": "20.10.0-beta1"
},
{
"fixed": "20.10.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21284"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-31T23:14:25Z",
"nvd_published_at": "2021-02-02T18:15:00Z",
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen using `--userns-remap`, if the root user in the remapped namespace has access to the host filesystem they can modify files under `/var/lib/docker/\u003cremapping\u003e` that cause writing files with extended privileges.\n\n### Patches\n\nVersions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.\n\n### Credits\n\nMaintainers would like to thank Alex Chapman for discovering the vulnerability; @awprice, @nathanburrell, @raulgomis, @chris-walz, @erin-jensby, @bassmatt, @mark-adams, @dbaxa for working on it and Zac Ellis for responsibly disclosing it to security@docker.com",
"id": "GHSA-7452-xqpj-6rpc",
"modified": "2024-06-10T18:39:17Z",
"published": "2024-01-31T23:14:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21284"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
},
{
"type": "WEB",
"url": "https://docs.docker.com/engine/release-notes/#20103"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/releases/tag/v19.03.15"
},
{
"type": "WEB",
"url": "https://github.com/moby/moby/releases/tag/v20.10.3"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202107-23"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210226-0005"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2021/dsa-4865"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "moby Access to remapped root allows privilege escalation to real root"
}
GSD-2021-21284
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-21284",
"description": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.",
"id": "GSD-2021-21284",
"references": [
"https://www.suse.com/security/cve/CVE-2021-21284.html",
"https://www.debian.org/security/2021/dsa-4865",
"https://security.archlinux.org/CVE-2021-21284",
"https://alas.aws.amazon.com/cve/html/CVE-2021-21284.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-21284"
],
"details": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.",
"id": "GSD-2021-21284",
"modified": "2023-12-13T01:23:10.576438Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21284",
"STATE": "PUBLIC",
"TITLE": "privilege escalation in Moby"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "moby",
"version": {
"version_data": [
{
"version_value": "\u003c 19.03.15"
},
{
"version_value": "\u003e= 20.0.0, \u003c 20.10.3"
}
]
}
}
]
},
"vendor_name": "moby"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.docker.com/engine/release-notes/#20103",
"refsource": "MISC",
"url": "https://docs.docker.com/engine/release-notes/#20103"
},
{
"name": "https://github.com/moby/moby/releases/tag/v20.10.3",
"refsource": "MISC",
"url": "https://github.com/moby/moby/releases/tag/v20.10.3"
},
{
"name": "https://github.com/moby/moby/releases/tag/v19.03.15",
"refsource": "MISC",
"url": "https://github.com/moby/moby/releases/tag/v19.03.15"
},
{
"name": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc",
"refsource": "CONFIRM",
"url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
},
{
"name": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c",
"refsource": "MISC",
"url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210226-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
},
{
"name": "DSA-4865",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4865"
},
{
"name": "GLSA-202107-23",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202107-23"
}
]
},
"source": {
"advisory": "GHSA-7452-xqpj-6rpc",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "20.10.3",
"versionStartIncluding": "20.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:docker:docker:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "19.03.15",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "11.60.3",
"versionStartIncluding": "11.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21284"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-22"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/commit/64bd4485b3a66a597c02c95f5776395e540b2c7c"
},
{
"name": "https://docs.docker.com/engine/release-notes/#20103",
"refsource": "MISC",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://docs.docker.com/engine/release-notes/#20103"
},
{
"name": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/security/advisories/GHSA-7452-xqpj-6rpc"
},
{
"name": "https://github.com/moby/moby/releases/tag/v19.03.15",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/releases/tag/v19.03.15"
},
{
"name": "https://github.com/moby/moby/releases/tag/v20.10.3",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/moby/moby/releases/tag/v20.10.3"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210226-0005/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210226-0005/"
},
{
"name": "DSA-4865",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2021/dsa-4865"
},
{
"name": "GLSA-202107-23",
"refsource": "GENTOO",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202107-23"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:A/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0
}
},
"lastModifiedDate": "2022-04-29T19:22Z",
"publishedDate": "2021-02-02T18:15Z"
}
}
}
MSRC_CVE-2021-21284
Vulnerability from csaf_microsoft - Published: 2021-02-02 00:00 - Updated: 2021-07-27 00:00Summary
privilege escalation in Moby
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
6.8 (Medium)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 19029-16820 | — | ||
| Unresolved product id: 19030-16820 | — | ||
| Unresolved product id: 16833-16820 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2021/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2021/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2021-21284 privilege escalation in Moby - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2021/msrc_cve-2021-21284.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "privilege escalation in Moby",
"tracking": {
"current_release_date": "2021-07-27T00:00:00.000Z",
"generator": {
"date": "2025-12-27T19:08:30.433Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2021-21284",
"initial_release_date": "2021-02-02T00:00:00.000Z",
"revision_history": [
{
"date": "2021-07-16T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2021-07-27T00:00:00.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Added moby-engine to CBL-Mariner 1.0"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.0",
"product": {
"name": "CBL Mariner 1.0",
"product_id": "16820"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccm1 moby-engine 19.03.15+azure-2",
"product": {
"name": "\u003ccm1 moby-engine 19.03.15+azure-2",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "cm1 moby-engine 19.03.15+azure-2",
"product": {
"name": "cm1 moby-engine 19.03.15+azure-2",
"product_id": "19029"
}
}
],
"category": "product_name",
"name": "moby-engine"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccm1 moby-cli 19.03.15+azure-2",
"product": {
"name": "\u003ccm1 moby-cli 19.03.15+azure-2",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "cm1 moby-cli 19.03.15+azure-2",
"product": {
"name": "cm1 moby-cli 19.03.15+azure-2",
"product_id": "19030"
}
}
],
"category": "product_name",
"name": "moby-cli"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccm1 moby-buildx 0.4.1+azure-3",
"product": {
"name": "\u003ccm1 moby-buildx 0.4.1+azure-3",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "cm1 moby-buildx 0.4.1+azure-3",
"product": {
"name": "cm1 moby-buildx 0.4.1+azure-3",
"product_id": "16833"
}
}
],
"category": "product_name",
"name": "moby-buildx"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccm1 moby-engine 19.03.15+azure-2 as a component of CBL Mariner 1.0",
"product_id": "16820-2"
},
"product_reference": "2",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cm1 moby-engine 19.03.15+azure-2 as a component of CBL Mariner 1.0",
"product_id": "19029-16820"
},
"product_reference": "19029",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccm1 moby-cli 19.03.15+azure-2 as a component of CBL Mariner 1.0",
"product_id": "16820-1"
},
"product_reference": "1",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cm1 moby-cli 19.03.15+azure-2 as a component of CBL Mariner 1.0",
"product_id": "19030-16820"
},
"product_reference": "19030",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccm1 moby-buildx 0.4.1+azure-3 as a component of CBL Mariner 1.0",
"product_id": "16820-3"
},
"product_reference": "3",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cm1 moby-buildx 0.4.1+azure-3 as a component of CBL Mariner 1.0",
"product_id": "16833-16820"
},
"product_reference": "16833",
"relates_to_product_reference": "16820"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-21284",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"19029-16820",
"19030-16820",
"16833-16820"
],
"known_affected": [
"16820-2",
"16820-1",
"16820-3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2021-21284 privilege escalation in Moby - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2021/msrc_cve-2021-21284.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2021-07-16T00:00:00.000Z",
"details": "-:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"16820-2",
"16820-1",
"16820-3"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"temporalScore": 6.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"16820-2",
"16820-1",
"16820-3"
]
}
],
"title": "privilege escalation in Moby"
}
]
}
OPENSUSE-SU-2021:0278-1
Vulnerability from csaf_opensuse - Published: 2021-02-12 00:12 - Updated: 2021-02-12 00:12Summary
Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork
Severity
Important
Notes
Title of the patch: Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork
Description of the patch: This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:
Security issues fixed:
- CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969).
- CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)
- CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730)
Non-security issues fixed:
- Update Docker to 19.03.15-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for
bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).
- Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE.
It appears that SLES doesn't like the patch. (bsc#1180401)
- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and
fixes CVE-2020-15257. bsc#1180243
- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce.
bsc#1176708
- Update to Docker 19.03.14-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243
https://github.com/docker/docker-ce/releases/tag/v19.03.14
- Enable fish-completion
- Add a patch which makes Docker compatible with firewalld with
nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
(bsc#1178801, SLE-16460)
- Update to Docker 19.03.13-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
- Emergency fix: %requires_eq does not work with provide symbols,
only effective package names. Convert back to regular Requires.
- Update to Docker 19.03.12-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md.
- Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of
spurrious errors due to Go returning -EINTR from I/O syscalls much more often
(due to Go 1.14's pre-emptive goroutine support).
- Add BuildRequires for all -git dependencies so that we catch missing
dependencies much more quickly.
- Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce.
bsc#1180243
- Add patch which makes libnetwork compatible with firewalld with
nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
(bsc#1178801, SLE-16460)
This update was imported from the SUSE:SLE-15:Update update project.
Patchnames: openSUSE-2021-278
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.8 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2020-15257: Fixed a privilege escalation in containerd (bsc#1178969).\n- CVE-2021-21284: potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732)\n- CVE-2021-21285: pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730)\n\nNon-security issues fixed:\n\n- Update Docker to 19.03.15-ce. See upstream changelog in the packaged\n /usr/share/doc/packages/docker/CHANGELOG.md. This update includes fixes for\n bsc#1181732 (CVE-2021-21284) and bsc#1181730 (CVE-2021-21285).\n\n- Only apply the boo#1178801 libnetwork patch to handle firewalld on openSUSE.\n It appears that SLES doesn\u0027t like the patch. (bsc#1180401)\n\n- Update to containerd v1.3.9, which is needed for Docker v19.03.14-ce and\n fixes CVE-2020-15257. bsc#1180243\n\n- Update to containerd v1.3.7, which is required for Docker 19.03.13-ce.\n bsc#1176708\n\n- Update to Docker 19.03.14-ce. See upstream changelog in the packaged\n /usr/share/doc/packages/docker/CHANGELOG.md. CVE-2020-15257 bsc#1180243\n https://github.com/docker/docker-ce/releases/tag/v19.03.14\n\n- Enable fish-completion\n\n- Add a patch which makes Docker compatible with firewalld with\n nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548\n (bsc#1178801, SLE-16460)\n\n- Update to Docker 19.03.13-ce. See upstream changelog in the packaged\n /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1176708\n\n- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)\n\n- Emergency fix: %requires_eq does not work with provide symbols,\n only effective package names. Convert back to regular Requires.\n\n- Update to Docker 19.03.12-ce. See upstream changelog in the packaged\n /usr/share/doc/packages/docker/CHANGELOG.md.\n- Use Go 1.13 instead of Go 1.14 because Go 1.14 can cause all sorts of\n spurrious errors due to Go returning -EINTR from I/O syscalls much more often\n (due to Go 1.14\u0027s pre-emptive goroutine support).\n- Add BuildRequires for all -git dependencies so that we catch missing\n dependencies much more quickly.\n\n- Update to libnetwork 55e924b8a842, which is required for Docker 19.03.14-ce.\n bsc#1180243\n\n- Add patch which makes libnetwork compatible with firewalld with\n nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548\n (bsc#1178801, SLE-16460)\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-278",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0278-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0278-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UGKTLORCQ4MPZPDFGWKJEEPQRXFUTZYZ/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0278-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/UGKTLORCQ4MPZPDFGWKJEEPQRXFUTZYZ/"
},
{
"category": "self",
"summary": "SUSE Bug 1174075",
"url": "https://bugzilla.suse.com/1174075"
},
{
"category": "self",
"summary": "SUSE Bug 1176708",
"url": "https://bugzilla.suse.com/1176708"
},
{
"category": "self",
"summary": "SUSE Bug 1178801",
"url": "https://bugzilla.suse.com/1178801"
},
{
"category": "self",
"summary": "SUSE Bug 1178969",
"url": "https://bugzilla.suse.com/1178969"
},
{
"category": "self",
"summary": "SUSE Bug 1180243",
"url": "https://bugzilla.suse.com/1180243"
},
{
"category": "self",
"summary": "SUSE Bug 1180401",
"url": "https://bugzilla.suse.com/1180401"
},
{
"category": "self",
"summary": "SUSE Bug 1181730",
"url": "https://bugzilla.suse.com/1181730"
},
{
"category": "self",
"summary": "SUSE Bug 1181732",
"url": "https://bugzilla.suse.com/1181732"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-15257 page",
"url": "https://www.suse.com/security/cve/CVE-2020-15257/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21284 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21284/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21285 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21285/"
}
],
"title": "Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork",
"tracking": {
"current_release_date": "2021-02-12T00:12:41Z",
"generator": {
"date": "2021-02-12T00:12:41Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0278-1",
"initial_release_date": "2021-02-12T00:12:41Z",
"revision_history": [
{
"date": "2021-02-12T00:12:41Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"product": {
"name": "docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"product_id": "docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"product": {
"name": "docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"product_id": "docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"product": {
"name": "docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"product_id": "docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.3.9-lp152.2.3.1.x86_64",
"product": {
"name": "containerd-1.3.9-lp152.2.3.1.x86_64",
"product_id": "containerd-1.3.9-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"product": {
"name": "containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"product_id": "containerd-ctr-1.3.9-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-19.03.15_ce-lp152.2.3.1.x86_64",
"product": {
"name": "docker-19.03.15_ce-lp152.2.3.1.x86_64",
"product_id": "docker-19.03.15_ce-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"product": {
"name": "docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"product_id": "docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"product": {
"name": "docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"product_id": "docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"product": {
"name": "docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"product_id": "docker-test-19.03.15_ce-lp152.2.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "fish-2.7.1-lp152.5.3.1.x86_64",
"product": {
"name": "fish-2.7.1-lp152.5.3.1.x86_64",
"product_id": "fish-2.7.1-lp152.5.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "fish-devel-2.7.1-lp152.5.3.1.x86_64",
"product": {
"name": "fish-devel-2.7.1-lp152.5.3.1.x86_64",
"product_id": "fish-devel-2.7.1-lp152.5.3.1.x86_64"
}
},
{
"category": "product_version",
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"product": {
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"product_id": "golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.3.9-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64"
},
"product_reference": "containerd-1.3.9-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.3.9-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64"
},
"product_reference": "containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-19.03.15_ce-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64"
},
"product_reference": "docker-19.03.15_ce-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch"
},
"product_reference": "docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch"
},
"product_reference": "docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
},
"product_reference": "docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64"
},
"product_reference": "docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-test-19.03.15_ce-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64"
},
"product_reference": "docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch"
},
"product_reference": "docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "fish-2.7.1-lp152.5.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64"
},
"product_reference": "fish-2.7.1-lp152.5.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "fish-devel-2.7.1-lp152.5.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64"
},
"product_reference": "fish-devel-2.7.1-lp152.5.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
},
"product_reference": "golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-15257",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-15257"
}
],
"notes": [
{
"category": "general",
"text": "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim\u0027s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container\u0027s privilege, regardless of what container runtime is used for running that container.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-15257",
"url": "https://www.suse.com/security/cve/CVE-2020-15257"
},
{
"category": "external",
"summary": "SUSE Bug 1178969 for CVE-2020-15257",
"url": "https://bugzilla.suse.com/1178969"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-02-12T00:12:41Z",
"details": "important"
}
],
"title": "CVE-2020-15257"
},
{
"cve": "CVE-2021-21284",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21284"
}
],
"notes": [
{
"category": "general",
"text": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21284",
"url": "https://www.suse.com/security/cve/CVE-2021-21284"
},
{
"category": "external",
"summary": "SUSE Bug 1181732 for CVE-2021-21284",
"url": "https://bugzilla.suse.com/1181732"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-02-12T00:12:41Z",
"details": "low"
}
],
"title": "CVE-2021-21284"
},
{
"cve": "CVE-2021-21285",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21285"
}
],
"notes": [
{
"category": "general",
"text": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21285",
"url": "https://www.suse.com/security/cve/CVE-2021-21285"
},
{
"category": "external",
"summary": "SUSE Bug 1181730 for CVE-2021-21285",
"url": "https://bugzilla.suse.com/1181730"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:containerd-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.3.9-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-test-19.03.15_ce-lp152.2.3.1.x86_64",
"openSUSE Leap 15.2:docker-zsh-completion-19.03.15_ce-lp152.2.3.1.noarch",
"openSUSE Leap 15.2:fish-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:fish-devel-2.7.1-lp152.5.3.1.x86_64",
"openSUSE Leap 15.2:golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-02-12T00:12:41Z",
"details": "moderate"
}
],
"title": "CVE-2021-21285"
}
]
}
OPENSUSE-SU-2021:0878-1
Vulnerability from csaf_opensuse - Published: 2021-06-16 13:54 - Updated: 2021-06-16 13:54Summary
Security update for containerd, docker, runc
Severity
Important
Notes
Title of the patch: Security update for containerd, docker, runc
Description of the patch: This update for containerd, docker, runc fixes the following issues:
Docker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)
* Switch version to use -ce suffix rather than _ce to avoid confusing other
tools (bsc#1182476).
* CVE-2021-21284: Fixed a potential privilege escalation when the root user in
the remapped namespace has access to the host filesystem (bsc#1181732)
* CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest
crashes the dockerd daemon (bsc#1181730).
* btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)
runc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962).
* Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
* Fixed /dev/null is not available (bsc#1168481).
* CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).
containerd was updated to v1.4.4
* CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
* Handle a requirement from docker (bsc#1181594).
This update was imported from the SUSE:SLE-15:Update update project.
Patchnames: openSUSE-2021-878
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5 (Medium)
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.3 (Medium)
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
8.4 (High)
Affected products
Recommended
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
34 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for containerd, docker, runc",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for containerd, docker, runc fixes the following issues:\n\nDocker was updated to 20.10.6-ce (bsc#1184768, bsc#1182947, bsc#1181594)\n\n* Switch version to use -ce suffix rather than _ce to avoid confusing other\n tools (bsc#1182476).\n* CVE-2021-21284: Fixed a potential privilege escalation when the root user in \n the remapped namespace has access to the host filesystem (bsc#1181732)\n* CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest \n crashes the dockerd daemon (bsc#1181730). \n* btrfs quotas being removed by Docker regularly (bsc#1183855, bsc#1175081)\n\nrunc was updated to v1.0.0~rc93 (bsc#1182451, bsc#1175821 bsc#1184962).\n\n* Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).\n* Fixed /dev/null is not available (bsc#1168481).\n* CVE-2021-30465: Fixed a symlink-exchange attack vulnarability (bsc#1185405).\n\ncontainerd was updated to v1.4.4\n\n* CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).\n* Handle a requirement from docker (bsc#1181594).\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-878",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_0878-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:0878-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/G76UZ7FY6VFG73EC6UUCBE46L3TAKR6G/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:0878-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/G76UZ7FY6VFG73EC6UUCBE46L3TAKR6G/"
},
{
"category": "self",
"summary": "SUSE Bug 1168481",
"url": "https://bugzilla.suse.com/1168481"
},
{
"category": "self",
"summary": "SUSE Bug 1175081",
"url": "https://bugzilla.suse.com/1175081"
},
{
"category": "self",
"summary": "SUSE Bug 1175821",
"url": "https://bugzilla.suse.com/1175821"
},
{
"category": "self",
"summary": "SUSE Bug 1181594",
"url": "https://bugzilla.suse.com/1181594"
},
{
"category": "self",
"summary": "SUSE Bug 1181641",
"url": "https://bugzilla.suse.com/1181641"
},
{
"category": "self",
"summary": "SUSE Bug 1181677",
"url": "https://bugzilla.suse.com/1181677"
},
{
"category": "self",
"summary": "SUSE Bug 1181730",
"url": "https://bugzilla.suse.com/1181730"
},
{
"category": "self",
"summary": "SUSE Bug 1181732",
"url": "https://bugzilla.suse.com/1181732"
},
{
"category": "self",
"summary": "SUSE Bug 1181749",
"url": "https://bugzilla.suse.com/1181749"
},
{
"category": "self",
"summary": "SUSE Bug 1182451",
"url": "https://bugzilla.suse.com/1182451"
},
{
"category": "self",
"summary": "SUSE Bug 1182476",
"url": "https://bugzilla.suse.com/1182476"
},
{
"category": "self",
"summary": "SUSE Bug 1182947",
"url": "https://bugzilla.suse.com/1182947"
},
{
"category": "self",
"summary": "SUSE Bug 1183024",
"url": "https://bugzilla.suse.com/1183024"
},
{
"category": "self",
"summary": "SUSE Bug 1183855",
"url": "https://bugzilla.suse.com/1183855"
},
{
"category": "self",
"summary": "SUSE Bug 1184768",
"url": "https://bugzilla.suse.com/1184768"
},
{
"category": "self",
"summary": "SUSE Bug 1184962",
"url": "https://bugzilla.suse.com/1184962"
},
{
"category": "self",
"summary": "SUSE Bug 1185405",
"url": "https://bugzilla.suse.com/1185405"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21284 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21284/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21285 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21285/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-21334 page",
"url": "https://www.suse.com/security/cve/CVE-2021-21334/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-30465 page",
"url": "https://www.suse.com/security/cve/CVE-2021-30465/"
}
],
"title": "Security update for containerd, docker, runc",
"tracking": {
"current_release_date": "2021-06-16T13:54:13Z",
"generator": {
"date": "2021-06-16T13:54:13Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:0878-1",
"initial_release_date": "2021-06-16T13:54:13Z",
"revision_history": [
{
"date": "2021-06-16T13:54:13Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"product": {
"name": "docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"product_id": "docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"product": {
"name": "docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"product_id": "docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch"
}
},
{
"category": "product_version",
"name": "docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"product": {
"name": "docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"product_id": "docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "containerd-1.4.4-lp152.2.6.1.x86_64",
"product": {
"name": "containerd-1.4.4-lp152.2.6.1.x86_64",
"product_id": "containerd-1.4.4-lp152.2.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"product": {
"name": "containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"product_id": "containerd-ctr-1.4.4-lp152.2.6.1.x86_64"
}
},
{
"category": "product_version",
"name": "docker-20.10.6_ce-lp152.2.12.1.x86_64",
"product": {
"name": "docker-20.10.6_ce-lp152.2.12.1.x86_64",
"product_id": "docker-20.10.6_ce-lp152.2.12.1.x86_64"
}
},
{
"category": "product_version",
"name": "runc-1.0.0~rc93-lp152.2.3.1.x86_64",
"product": {
"name": "runc-1.0.0~rc93-lp152.2.3.1.x86_64",
"product_id": "runc-1.0.0~rc93-lp152.2.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-1.4.4-lp152.2.6.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64"
},
"product_reference": "containerd-1.4.4-lp152.2.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "containerd-ctr-1.4.4-lp152.2.6.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64"
},
"product_reference": "containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-20.10.6_ce-lp152.2.12.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64"
},
"product_reference": "docker-20.10.6_ce-lp152.2.12.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch"
},
"product_reference": "docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch"
},
"product_reference": "docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch"
},
"product_reference": "docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "runc-1.0.0~rc93-lp152.2.3.1.x86_64 as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
},
"product_reference": "runc-1.0.0~rc93-lp152.2.3.1.x86_64",
"relates_to_product_reference": "openSUSE Leap 15.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-21284",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21284"
}
],
"notes": [
{
"category": "general",
"text": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/\u003cremapping\u003e\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21284",
"url": "https://www.suse.com/security/cve/CVE-2021-21284"
},
{
"category": "external",
"summary": "SUSE Bug 1181732 for CVE-2021-21284",
"url": "https://bugzilla.suse.com/1181732"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-06-16T13:54:13Z",
"details": "low"
}
],
"title": "CVE-2021-21284"
},
{
"cve": "CVE-2021-21285",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21285"
}
],
"notes": [
{
"category": "general",
"text": "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21285",
"url": "https://www.suse.com/security/cve/CVE-2021-21285"
},
{
"category": "external",
"summary": "SUSE Bug 1181730 for CVE-2021-21285",
"url": "https://bugzilla.suse.com/1181730"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-06-16T13:54:13Z",
"details": "moderate"
}
],
"title": "CVE-2021-21285"
},
{
"cve": "CVE-2021-21334",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-21334"
}
],
"notes": [
{
"category": "general",
"text": "In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd\u0027s CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd\u0027s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-21334",
"url": "https://www.suse.com/security/cve/CVE-2021-21334"
},
{
"category": "external",
"summary": "SUSE Bug 1183397 for CVE-2021-21334",
"url": "https://bugzilla.suse.com/1183397"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-06-16T13:54:13Z",
"details": "moderate"
}
],
"title": "CVE-2021-21334"
},
{
"cve": "CVE-2021-30465",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-30465"
}
],
"notes": [
{
"category": "general",
"text": "runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-30465",
"url": "https://www.suse.com/security/cve/CVE-2021-30465"
},
{
"category": "external",
"summary": "SUSE Bug 1185405 for CVE-2021-30465",
"url": "https://bugzilla.suse.com/1185405"
},
{
"category": "external",
"summary": "SUSE Bug 1189161 for CVE-2021-30465",
"url": "https://bugzilla.suse.com/1189161"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Leap 15.2:containerd-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:containerd-ctr-1.4.4-lp152.2.6.1.x86_64",
"openSUSE Leap 15.2:docker-20.10.6_ce-lp152.2.12.1.x86_64",
"openSUSE Leap 15.2:docker-bash-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-fish-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:docker-zsh-completion-20.10.6_ce-lp152.2.12.1.noarch",
"openSUSE Leap 15.2:runc-1.0.0~rc93-lp152.2.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-06-16T13:54:13Z",
"details": "important"
}
],
"title": "CVE-2021-30465"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…