CVE-2022-2989

Name of the Vulnerable Software and Affected Versions Moby (Docker Engine) versions prior to 20.10.18 Podman (affected versions not specified) CRI-O (affected versions not specified) Buildah (affected versions not specified) Docker (affected versions not specified)

Description An incorrect handling of supplementary groups in container engines might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container and is able to execute binary code. This issue can allow attackers to bypass primary group restrictions, potentially gaining access to sensitive information or gaining the ability to execute code in the container. The problem occurs when supplementary groups are not set up properly, permitting unauthorized access to files.

Recommendations For Moby (Docker Engine) versions prior to 20.10.18, update to version 20.10.18 or later. For users unable to upgrade to Moby (Docker Engine) version 20.10.18 or later, do not use the "USER $USERNAME" Dockerfile instruction; instead, call ENTRYPOINT ["su", "-", "user"] to set up supplementary groups properly. As a temporary workaround for other affected container engines, consider restricting access to containers where supplementary groups are used to set access permissions until a patch is available. For containers where SGID programs are executed, consider disabling the execution of these programs until the issue is resolved.