CVE-2022-2990

Name of the Vulnerable Software and Affected Versions Buildah versions prior to 20.10.18 CRI-O versions prior to 20.10.18 Docker versions prior to 20.10.18 Moby (Docker Engine) versions prior to 20.10.18 Podman versions prior to 20.10.18

Description The issue arises from an incorrect handling of supplementary groups in various container engines, including Buildah, CRI-O, Docker, Moby, and Podman. This might lead to sensitive information disclosure or possible data modification if an attacker has direct access to the affected container and is able to execute binary code within it. The problem occurs when supplementary groups are not set up properly, allowing attackers to bypass primary group restrictions in some cases and potentially escalate privileges within the container. For instance, SGID programs executed in a container can access files with negative group permissions for the user's primary group, due to the container engine's failure to correctly add the primary group to the supplementary groups.

Recommendations For Buildah versions prior to 20.10.18: Update to version 20.10.18 or later. For CRI-O versions prior to 20.10.18: Update to version 20.10.18 or later. For Docker versions prior to 20.10.18: Update to version 20.10.18 or later, and consider stopping and restarting running containers for the permissions to be fixed. As a temporary workaround, avoid using the "USER $USERNAME" Dockerfile instruction; instead, use ENTRYPOINT ["su", "-", "user"] to set up supplementary groups properly. For Moby (Docker Engine) versions prior to 20.10.18: Update to version 20.10.18 or later. For Podman versions prior to 20.10.18: Update to version 20.10.18 or later.