CVE-2023-28842

Name of the Vulnerable Software and Affected Versions Moby versions prior to 23.0.3 Moby versions prior to 20.10.24 Mirantis Container Runtime versions prior to 20.10.16

Description The issue is related to the use of an unsecured alternative channel in the Swarm Mode of the Moby daemon component. This allows a remote attacker to impact the integrity of protected information by sending unencrypted packets. Encrypted overlay networks in Moby's Swarm Mode silently accept cleartext VXLAN datagrams, making it possible to inject arbitrary Ethernet frames into the encrypted overlay network. This can have severe implications. The overlay network driver, a core feature of Swarm Mode, provides isolated virtual LANs and supports an optional encrypted mode. However, the lack of proper encryption allows for the injection of malicious data.

Recommendations For Moby versions prior to 23.0.3, update to version 23.0.3 or later. For Moby versions prior to 20.10.24, update to version 20.10.24 or later. For Mirantis Container Runtime versions prior to 20.10.16, update to version 20.10.16 or later. As a temporary workaround, in multi-node clusters, deploy a global ‘pause’ container for each encrypted overlay network on every node. For a single-node cluster, do not use overlay networks of any sort; instead, use bridge networks for connectivity. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec.