Steven J. Murdoch

**Name of the Vulnerable Software and Affected Versions** CRI-O (affected versions not specified) **Description** The issue is related to the incorrect handling of supplementary groups in the CRI-O container engine, which may lead to sensitive information disclosure or possible data modification. This can occur if an attacker has direct access to the affected container, where supplementary groups are used to set access permissions, and is able to execute binary code in that container. The vulnerability is associated with improper control of access and may allow an attacker to disclose confidential information or modify arbitrary data. In some cases, it may also enable privilege escalation within the container. The problem arises when SGID programs are executed in a container, potentially allowing access to files with negative group permissions for the user's primary group. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** containerd versions prior to 1.6.18 and 1.5.18 Moby (Docker Engine) versions prior to 20.10.18 CRI-O (affected versions not specified) Buildah (affected versions not specified) Podman (affected versions not specified) **Description** A bug was found in containerd, Moby (Docker Engine), CRI-O, Buildah, and Podman where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. **Recommendations** For containerd versions prior to 1.6.18 and 1.5.18: Update to versions 1.6.18 and 1.5.18 and recreate containers to resolve this issue. For Moby (Docker Engine) versions prior to 20.10.18: Update to version 20.10.18 when it is available and stop and restart running containers for the permissions to be fixed. For CRI-O, Buildah, and Podman: At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround for all affected versions, ensure that the "USER $USERNAME" Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.

**Name of the Vulnerable Software and Affected Versions** Moby (Docker Engine) versions prior to 20.10.18 Podman (affected versions not specified) CRI-O (affected versions not specified) Buildah (affected versions not specified) Docker (affected versions not specified) **Description** An incorrect handling of supplementary groups in container engines might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container and is able to execute binary code. This issue can allow attackers to bypass primary group restrictions, potentially gaining access to sensitive information or gaining the ability to execute code in the container. The problem occurs when supplementary groups are not set up properly, permitting unauthorized access to files. **Recommendations** For Moby (Docker Engine) versions prior to 20.10.18, update to version 20.10.18 or later. For users unable to upgrade to Moby (Docker Engine) version 20.10.18 or later, do not use the "USER $USERNAME" Dockerfile instruction; instead, call ENTRYPOINT ["su", "-", "user"] to set up supplementary groups properly. As a temporary workaround for other affected container engines, consider restricting access to containers where supplementary groups are used to set access permissions until a patch is available. For containers where SGID programs are executed, consider disabling the execution of these programs until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Buildah versions prior to 20.10.18 CRI-O versions prior to 20.10.18 Docker versions prior to 20.10.18 Moby (Docker Engine) versions prior to 20.10.18 Podman versions prior to 20.10.18 **Description** The issue arises from an incorrect handling of supplementary groups in various container engines, including Buildah, CRI-O, Docker, Moby, and Podman. This might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container and is able to execute binary code within it. The problem occurs when supplementary groups are not set up properly, allowing attackers to bypass primary group restrictions in some cases and potentially escalate privileges within the container. For instance, SGID programs executed in a container can access files with negative group permissions for the user's primary group, due to the container engine's failure to correctly add the primary group to the supplementary groups. **Recommendations** For Buildah versions prior to 20.10.18: Update to version 20.10.18 or later. For CRI-O versions prior to 20.10.18: Update to version 20.10.18 or later. For Docker versions prior to 20.10.18: Update to version 20.10.18 or later, and consider stopping and restarting running containers for the permissions to be fixed. As a temporary workaround, avoid using the "USER $USERNAME" Dockerfile instruction; instead, use ENTRYPOINT ["su", "-", "user"] to set up supplementary groups properly. For Moby (Docker Engine) versions prior to 20.10.18: Update to version 20.10.18 or later. For Podman versions prior to 20.10.18: Update to version 20.10.18 or later.

Name of the Vulnerable Software and Affected Versions: Tor (affected versions not specified) Description: The issue allows remote attackers to discover the IP address of a hidden service by accessing it at a high rate. This causes a change in the server's CPU temperature, which in turn alters the pattern of time values visible through ICMP timestamps, TCP sequence numbers, and TCP timestamps. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Image processing software (affected versions not specified) **Description** A design flaw in the software that modifies JPEG images might not modify the original EXIF thumbnail, potentially leading to an information leak of sensitive visual information that had been removed from the main JPEG image. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.