{
  "GSD": {
    "alias": "CVE-2021-43784",
    "description": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.",
    "id": "GSD-2021-43784",
    "references": [
      "https://www.suse.com/security/cve/CVE-2021-43784.html",
      "https://advisories.mageia.org/CVE-2021-43784.html",
      "https://security.archlinux.org/CVE-2021-43784",
      "https://packetstormsecurity.com/files/cve/CVE-2021-43784"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-43784"
      ],
      "details": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.",
      "id": "GSD-2021-43784",
      "modified": "2023-12-13T01:23:26.489370Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-43784",
        "STATE": "PUBLIC",
        "TITLE": "Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "runc",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.0.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "opencontainers"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 6.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-190: Integer Overflow or Wraparound"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f",
            "refsource": "CONFIRM",
            "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f"
          },
          {
            "name": "https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554",
            "refsource": "MISC",
            "url": "https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554"
          },
          {
            "name": "https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae",
            "refsource": "MISC",
            "url": "https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae"
          },
          {
            "name": "https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed",
            "refsource": "MISC",
            "url": "https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed"
          },
          {
            "name": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2241",
            "refsource": "MISC",
            "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2241"
          },
          {
            "name": "[debian-lts-announce] 20211206 [SECURITY] [DLA 2841-1] runc security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html"
          },
          {
            "name": "[debian-lts-announce] 20240219 [SECURITY] [DLA 3735-1] runc security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-v95c-p5hm-xq8f",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.0.3",
          "affected_versions": "All versions before 1.0.3",
          "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "cwe_ids": [
            "CWE-1035",
            "CWE-190",
            "CWE-937"
          ],
          "date": "2021-12-08",
          "description": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.",
          "fixed_versions": [
            "1.0.3"
          ],
          "identifier": "CVE-2021-43784",
          "identifiers": [
            "GHSA-v95c-p5hm-xq8f",
            "CVE-2021-43784"
          ],
          "not_impacted": "All versions starting from 1.0.3",
          "package_slug": "go/github.com/opencontainers/runc",
          "pubdate": "2021-12-07",
          "solution": "Upgrade to version 1.0.3 or above.",
          "title": "Integer Overflow or Wraparound",
          "urls": [
            "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f",
            "https://nvd.nist.gov/vuln/detail/CVE-2021-43784",
            "https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554",
            "https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae",
            "https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed",
            "https://bugs.chromium.org/p/project-zero/issues/detail?id=2241",
            "https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html",
            "https://github.com/advisories/GHSA-v95c-p5hm-xq8f"
          ],
          "uuid": "dbf17836-609e-4c76-a93e-63376347bc45"
        },
        {
          "affected_range": "\u003cv1.0.3",
          "affected_versions": "All versions before 1.0.3",
          "cvss_v2": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
          "cwe_ids": [
            "CWE-1035",
            "CWE-190",
            "CWE-937"
          ],
          "date": "2021-12-08",
          "description": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc, the encoder does not handle the possibility of an integer overflow in the length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.",
          "fixed_versions": [
            "v1.0.3"
          ],
          "identifier": "CVE-2021-43784",
          "identifiers": [
            "CVE-2021-43784",
            "GHSA-v95c-p5hm-xq8f"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/opencontainers/runc/libcontainer",
          "pubdate": "2021-12-06",
          "solution": "Upgrade to version 1.0.3 or above.",
          "title": "Integer Overflow or Wraparound",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-43784",
            "https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae",
            "https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554",
            "https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed",
            "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f",
            "https://bugs.chromium.org/p/project-zero/issues/detail?id=2241",
            "https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html"
          ],
          "uuid": "30f2ef84-bc48-42f8-9b38-ba5ff95f4eac",
          "versions": [
            {
              "commit": {
                "sha": "e4bccdbd64361ac5ea8ba90bb8845add78f957a6",
                "tags": [
                  "v1.0.3"
                ],
                "timestamp": "20211203081737"
              },
              "number": "v1.0.3"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "0EDE92EF-36C3-48E0-ADCF-FFAB45F903F2",
                    "versionEndExcluding": "1.0.3",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug."
          },
          {
            "lang": "es",
            "value": "runc es una herramienta CLI para generar y ejecutar contenedores en Linux seg\u00fan la especificaci\u00f3n OCI. En runc, netlink es usado internamente como un sistema de serializaci\u00f3n para especificar la configuraci\u00f3n relevante del contenedor a la porci\u00f3n \"C\" del c\u00f3digo (responsable de la configuraci\u00f3n del espacio de nombres basado en los contenedores). En todas las versiones de runc anteriores a la 1.0.3, el codificador no manejaba la posibilidad de un desbordamiento de enteros en el campo de longitud de 16 bits para el tipo de atributo de matriz de bytes, lo que significaba que un atributo de matriz de bytes suficientemente grande y malicioso pod\u00eda provocar el desbordamiento de la longitud y que el contenido del atributo fuera analizado como mensajes netlink para la configuraci\u00f3n del contenedor. Esta vulnerabilidad requiere que el atacante tenga cierto control sobre la configuraci\u00f3n del contenedor y le permitir\u00eda saltarse las restricciones de espacio de nombres del contenedor simplemente a\u00f1adiendo su propia carga \u00fatil de netlink que deshabilita todos los espacios de nombres. Los principales usuarios afectados son aquellos que permiten la ejecuci\u00f3n de im\u00e1genes no confiables con configuraciones no confiables en sus m\u00e1quinas (como en el caso de la infraestructura de nube compartida). runc versi\u00f3n 1.0.3 contiene una correcci\u00f3n para este bug. Como soluci\u00f3n, puede intentarse deshabilitar las rutas de espacios de nombres no confiables de su contenedor. Tenga en cuenta que las rutas de espacios de nombres no confiables permitir\u00edan al atacante deshabilitar las protecciones de espacios de nombres por completo incluso en ausencia de este bug"
          }
        ],
        "id": "CVE-2021-43784",
        "lastModified": "2024-02-19T03:15:07.330",
        "metrics": {
          "cvssMetricV2": [
            {
              "acInsufInfo": false,
              "baseSeverity": "MEDIUM",
              "cvssData": {
                "accessComplexity": "MEDIUM",
                "accessVector": "NETWORK",
                "authentication": "SINGLE",
                "availabilityImpact": "PARTIAL",
                "baseScore": 6.0,
                "confidentialityImpact": "PARTIAL",
                "integrityImpact": "PARTIAL",
                "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
                "version": "2.0"
              },
              "exploitabilityScore": 6.8,
              "impactScore": 6.4,
              "obtainAllPrivilege": false,
              "obtainOtherPrivilege": false,
              "obtainUserPrivilege": false,
              "source": "nvd@nist.gov",
              "type": "Primary",
              "userInteractionRequired": false
            }
          ],
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.0,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 1.6,
              "impactScore": 3.4,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.0,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "exploitabilityScore": 1.8,
              "impactScore": 3.7,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2021-12-06T18:15:08.240",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit",
              "Third Party Advisory"
            ],
            "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2241"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-190"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Primary"
          }
        ]
      }
    }
  }
}

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/opencontainers/runc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-43784"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-12-06T22:09:36Z",
    "nvd_published_at": "2021-12-06T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nIn runc, [netlink](https://www.man7.org/linux/man-pages/man7/netlink.7.html) is used internally as a serialization system for specifying the relevant container configuration to the C portion of our code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration.\n\nThis vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces.\n\nPrior to 9c444070ec7bb83995dbc0185da68284da71c554, in practice it was fairly difficult to specify an arbitrary-length netlink message with most container runtimes. The only user-controlled byte array was the namespace paths attributes which can be specified in runc\u0027s `config.json`, but as far as we can tell no container runtime gives raw access to that configuration setting -- and having raw access to that setting **would allow the attacker to disable namespace protections entirely anyway** (setting them to `/proc/1/ns/...` for instance). In addition, each namespace path is limited to 4096 bytes (with only 7 namespaces supported by runc at the moment) meaning that even with custom namespace paths it appears an attacker still cannot shove enough bytes into the netlink bytemsg in order to overflow the uint16 counter.\n\nHowever, out of an abundance of caution (given how old this bug is) we decided to treat it as a potentially exploitable vulnerability with a low severity. After 9c444070ec7bb83995dbc0185da68284da71c554 (which was not present in any release of runc prior to the discovery of this bug), all mount paths are included as a giant netlink message which means that this bug becomes significantly more exploitable in more reasonable threat scenarios.\n\nThe main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure), though as mentioned above it appears this bug was not practically exploitable on any released version of runc to date.\n\n### Patches\nThe patch for this is d72d057ba794164c3cce9451a00b72a78b25e1ae and runc 1.0.3 was released with this bug fixed.\n\n### Workarounds\nTo the extent this is exploitable, disallowing untrusted namespace paths in container configuration should eliminate all practical ways of exploiting this bug. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.\n\n### References\n* commit d72d057ba794 (\"runc init: avoid netlink message length overflows\")\n* https://bugs.chromium.org/p/project-zero/issues/detail?id=2241\n\n### Credits\nThanks to Felix Wilhelm from Google Project Zero for discovering and reporting this vulnerability. In particular, the fact they found this vulnerability so quickly, before we made a 1.1 release of runc (which would\u0027ve been vulnerable) was quite impressive.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [our repo](https://github.com/opencontainers/runc)\n",
  "id": "GHSA-v95c-p5hm-xq8f",
  "modified": "2024-05-31T17:47:57Z",
  "published": "2021-12-07T21:22:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43784"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/dde509df4e28cec33b3c99c6cda3d4fd5beafc77"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed"
    },
    {
      "type": "WEB",
      "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=2241"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opencontainers/runc"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2022-0274"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration in RunC"
}

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for runc is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The runC tool is a lightweight, portable implementation of the Open Container Format (OCF) that provides container runtime.\n\nSecurity Fix(es):\n\n* golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)\n\n* runc: Rootless runc makes `/sys/fs/cgroup` writable (CVE-2023-25809)\n\n* runc: volume mount race condition (regression of CVE-2019-19921) (CVE-2023-27561)\n\n* runc: AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration (CVE-2023-28642)\n\n* runc: integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration (CVE-2021-43784)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 9.3 Release Notes linked from the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:6380",
        "url": "https://access.redhat.com/errata/RHSA-2023:6380"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.3_release_notes/index",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.3_release_notes/index"
      },
      {
        "category": "external",
        "summary": "2029439",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2029439"
      },
      {
        "category": "external",
        "summary": "2175721",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2175721"
      },
      {
        "category": "external",
        "summary": "2178492",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178492"
      },
      {
        "category": "external",
        "summary": "2182883",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182883"
      },
      {
        "category": "external",
        "summary": "2182884",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182884"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6380.json"
      }
    ],
    "title": "Red Hat Security Advisory: runc security update",
    "tracking": {
      "current_release_date": "2024-09-18T05:09:10+00:00",
      "generator": {
        "date": "2024-09-18T05:09:10+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2023:6380",
      "initial_release_date": "2023-11-07T08:47:52+00:00",
      "revision_history": [
        {
          "date": "2023-11-07T08:47:52+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-11-07T08:47:52+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-18T05:09:10+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux AppStream (v. 9)",
                "product": {
                  "name": "Red Hat Enterprise Linux AppStream (v. 9)",
                  "product_id": "AppStream-9.3.0.GA",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:enterprise_linux:9::appstream"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-4:1.1.9-1.el9.src",
                "product": {
                  "name": "runc-4:1.1.9-1.el9.src",
                  "product_id": "runc-4:1.1.9-1.el9.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc@1.1.9-1.el9?arch=src\u0026epoch=4"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-4:1.1.9-1.el9.aarch64",
                "product": {
                  "name": "runc-4:1.1.9-1.el9.aarch64",
                  "product_id": "runc-4:1.1.9-1.el9.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc@1.1.9-1.el9?arch=aarch64\u0026epoch=4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "runc-debugsource-4:1.1.9-1.el9.aarch64",
                "product": {
                  "name": "runc-debugsource-4:1.1.9-1.el9.aarch64",
                  "product_id": "runc-debugsource-4:1.1.9-1.el9.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc-debugsource@1.1.9-1.el9?arch=aarch64\u0026epoch=4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "runc-debuginfo-4:1.1.9-1.el9.aarch64",
                "product": {
                  "name": "runc-debuginfo-4:1.1.9-1.el9.aarch64",
                  "product_id": "runc-debuginfo-4:1.1.9-1.el9.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc-debuginfo@1.1.9-1.el9?arch=aarch64\u0026epoch=4"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-4:1.1.9-1.el9.ppc64le",
                "product": {
                  "name": "runc-4:1.1.9-1.el9.ppc64le",
                  "product_id": "runc-4:1.1.9-1.el9.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc@1.1.9-1.el9?arch=ppc64le\u0026epoch=4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "runc-debugsource-4:1.1.9-1.el9.ppc64le",
                "product": {
                  "name": "runc-debugsource-4:1.1.9-1.el9.ppc64le",
                  "product_id": "runc-debugsource-4:1.1.9-1.el9.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc-debugsource@1.1.9-1.el9?arch=ppc64le\u0026epoch=4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "runc-debuginfo-4:1.1.9-1.el9.ppc64le",
                "product": {
                  "name": "runc-debuginfo-4:1.1.9-1.el9.ppc64le",
                  "product_id": "runc-debuginfo-4:1.1.9-1.el9.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc-debuginfo@1.1.9-1.el9?arch=ppc64le\u0026epoch=4"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-4:1.1.9-1.el9.x86_64",
                "product": {
                  "name": "runc-4:1.1.9-1.el9.x86_64",
                  "product_id": "runc-4:1.1.9-1.el9.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc@1.1.9-1.el9?arch=x86_64\u0026epoch=4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "runc-debugsource-4:1.1.9-1.el9.x86_64",
                "product": {
                  "name": "runc-debugsource-4:1.1.9-1.el9.x86_64",
                  "product_id": "runc-debugsource-4:1.1.9-1.el9.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc-debugsource@1.1.9-1.el9?arch=x86_64\u0026epoch=4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "runc-debuginfo-4:1.1.9-1.el9.x86_64",
                "product": {
                  "name": "runc-debuginfo-4:1.1.9-1.el9.x86_64",
                  "product_id": "runc-debuginfo-4:1.1.9-1.el9.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc-debuginfo@1.1.9-1.el9?arch=x86_64\u0026epoch=4"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "runc-4:1.1.9-1.el9.s390x",
                "product": {
                  "name": "runc-4:1.1.9-1.el9.s390x",
                  "product_id": "runc-4:1.1.9-1.el9.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc@1.1.9-1.el9?arch=s390x\u0026epoch=4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "runc-debugsource-4:1.1.9-1.el9.s390x",
                "product": {
                  "name": "runc-debugsource-4:1.1.9-1.el9.s390x",
                  "product_id": "runc-debugsource-4:1.1.9-1.el9.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc-debugsource@1.1.9-1.el9?arch=s390x\u0026epoch=4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "runc-debuginfo-4:1.1.9-1.el9.s390x",
                "product": {
                  "name": "runc-debuginfo-4:1.1.9-1.el9.s390x",
                  "product_id": "runc-debuginfo-4:1.1.9-1.el9.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/runc-debuginfo@1.1.9-1.el9?arch=s390x\u0026epoch=4"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-4:1.1.9-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64"
        },
        "product_reference": "runc-4:1.1.9-1.el9.aarch64",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-4:1.1.9-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le"
        },
        "product_reference": "runc-4:1.1.9-1.el9.ppc64le",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-4:1.1.9-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x"
        },
        "product_reference": "runc-4:1.1.9-1.el9.s390x",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-4:1.1.9-1.el9.src as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src"
        },
        "product_reference": "runc-4:1.1.9-1.el9.src",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-4:1.1.9-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64"
        },
        "product_reference": "runc-4:1.1.9-1.el9.x86_64",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-debuginfo-4:1.1.9-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64"
        },
        "product_reference": "runc-debuginfo-4:1.1.9-1.el9.aarch64",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-debuginfo-4:1.1.9-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le"
        },
        "product_reference": "runc-debuginfo-4:1.1.9-1.el9.ppc64le",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-debuginfo-4:1.1.9-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x"
        },
        "product_reference": "runc-debuginfo-4:1.1.9-1.el9.s390x",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-debuginfo-4:1.1.9-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64"
        },
        "product_reference": "runc-debuginfo-4:1.1.9-1.el9.x86_64",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-debugsource-4:1.1.9-1.el9.aarch64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64"
        },
        "product_reference": "runc-debugsource-4:1.1.9-1.el9.aarch64",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-debugsource-4:1.1.9-1.el9.ppc64le as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le"
        },
        "product_reference": "runc-debugsource-4:1.1.9-1.el9.ppc64le",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-debugsource-4:1.1.9-1.el9.s390x as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x"
        },
        "product_reference": "runc-debugsource-4:1.1.9-1.el9.s390x",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "runc-debugsource-4:1.1.9-1.el9.x86_64 as a component of Red Hat Enterprise Linux AppStream (v. 9)",
          "product_id": "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
        },
        "product_reference": "runc-debugsource-4:1.1.9-1.el9.x86_64",
        "relates_to_product_reference": "AppStream-9.3.0.GA"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-43784",
      "cwe": {
        "id": "CWE-190",
        "name": "Integer Overflow or Wraparound"
      },
      "discovery_date": "2021-12-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2029439"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An integer overflow vulnerability was found in runC. This issue occurs due to an incorrect netlink encoder handling the possibility of an integer overflow in the 16-bit length field for the byte array attribute type. This flaw allows an attacker who can include a large enough malicious byte array attribute to bypass the namespace restrictions of the container by simply adding their netlink payload, which disables all namespaces.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "runc: integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Before runC 1.0.3, the only user-controlled byte array (used to exploit this vulnerability) was the namespace paths attributes, located in runC\u0027s config.json. Having raw access to that setting would allow the attacker to disable namespace protections entirely. This issue means that in practice, it was fairly difficult to specify an arbitrary-length netlink message with most container runtimes, resulting in the impact of this vulnerability being Low.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-43784"
        },
        {
          "category": "external",
          "summary": "RHBZ#2029439",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2029439"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-43784",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-43784"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-43784",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43784"
        },
        {
          "category": "external",
          "summary": "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f",
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f"
        }
      ],
      "release_date": "2021-12-06T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6380"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.0,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "runc: integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration"
    },
    {
      "cve": "CVE-2022-41724",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2023-03-15T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2178492"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Golang Go, where it is vulnerable to a denial of service caused when processing large TLS handshake records. By sending specially-crafted TLS handshake records, a remote, authenticated attacker can cause a denial of service condition.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: crypto/tls: large handshake records may cause panics",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The opportunity for a denial of service is limited to the golang runtime. In the case of the OpenShift Container Platform, this would be restricted within each individual container. There are multiple layers of guide rails (Golang\u2019s Garbage Collector; OpenShift\u2019s resource constraints imposed at the container and cluster levels) which would require a malicious user to continue submitting attacks for there to be any enduring impact. They would also need access to external server resources to be able to send a massive volume of requests to cause a significant impact on server operations.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-41724"
        },
        {
          "category": "external",
          "summary": "RHBZ#2178492",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2178492"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41724",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41724"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41724",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41724"
        },
        {
          "category": "external",
          "summary": "https://go.dev/cl/468125",
          "url": "https://go.dev/cl/468125"
        },
        {
          "category": "external",
          "summary": "https://go.dev/issue/58001",
          "url": "https://go.dev/issue/58001"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E",
          "url": "https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E"
        },
        {
          "category": "external",
          "summary": "https://pkg.go.dev/vuln/GO-2023-1570",
          "url": "https://pkg.go.dev/vuln/GO-2023-1570"
        }
      ],
      "release_date": "2023-02-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6380"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: crypto/tls: large handshake records may cause panics"
    },
    {
      "cve": "CVE-2023-25809",
      "cwe": {
        "id": "CWE-276",
        "name": "Incorrect Default Permissions"
      },
      "discovery_date": "2023-03-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2182884"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in runc, where it is vulnerable to a denial of service caused by improper access control in the /sys/fs/cgroup endpoint. This flaw allows a local authenticated attacker to cause a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "runc: Rootless runc makes `/sys/fs/cgroup` writable",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-25809"
        },
        {
          "category": "external",
          "summary": "RHBZ#2182884",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182884"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-25809",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-25809"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-25809",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25809"
        },
        {
          "category": "external",
          "summary": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17",
          "url": "https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17"
        },
        {
          "category": "external",
          "summary": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc",
          "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc"
        }
      ],
      "release_date": "2023-03-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6380"
        },
        {
          "category": "workaround",
          "details": "Condition 1: Unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts.\nCondition 2 (very rare): add /sys/fs/cgroup to maskedPaths",
          "product_ids": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "runc: Rootless runc makes `/sys/fs/cgroup` writable"
    },
    {
      "cve": "CVE-2023-27561",
      "cwe": {
        "id": "CWE-41",
        "name": "Improper Resolution of Path Equivalence"
      },
      "discovery_date": "2023-03-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2175721"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "runc: volume mount race condition (regression of CVE-2019-19921)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The vulnerability in runc, related to Incorrect Access Control in libcontainer/rootfs_linux.go, is classified as a moderate severity issue due to its prerequisites for exploitation and the level of access required by an attacker. To exploit this vulnerability, an attacker must have the capability to spawn two containers with custom volume-mount configurations and execute custom images within these containers. This restricts the attack vector to scenarios where an attacker already has a certain level of access to the container environment. Additionally, the vulnerability leads to an escalation of privileges, potentially allowing an attacker to gain elevated permissions on the host system. While the impact of privilege escalation is significant, the specific conditions required for successful exploitation mitigate the overall severity to moderate. \n\nThis CVE exists because of a CVE-2019-19921 regression.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-27561"
        },
        {
          "category": "external",
          "summary": "RHBZ#2175721",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2175721"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-27561",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-27561"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-27561",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27561"
        },
        {
          "category": "external",
          "summary": "https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9",
          "url": "https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9"
        },
        {
          "category": "external",
          "summary": "https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334",
          "url": "https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334"
        },
        {
          "category": "external",
          "summary": "https://github.com/opencontainers/runc/issues/3751",
          "url": "https://github.com/opencontainers/runc/issues/3751"
        }
      ],
      "release_date": "2023-02-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6380"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "runc: volume mount race condition (regression of CVE-2019-19921)"
    },
    {
      "cve": "CVE-2023-28642",
      "cwe": {
        "id": "CWE-305",
        "name": "Authentication Bypass by Primary Weakness"
      },
      "discovery_date": "2023-03-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2182883"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in runc. This vulnerability could allow a remote attacker to bypass security restrictions and create a symbolic link inside a container to the /proc directory, bypassing AppArmor and SELinux protections.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "runc: AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "The symlink vulnerability in runc allowing for the bypassing of AppArmor protections by manipulating the /proc symlink poses a moderate severity issue due to its potential impact on container isolation and security boundaries. While the exploitation requires specific mount configurations and access to the container\u0027s filesystem, it can lead to unauthorized access to host resources and potential privilege escalation within the containerized environment. This could enable attackers to compromise the integrity and confidentiality of other containers or the host system. Although the vulnerability does not allow direct remote code execution, its exploitation can result in significant security risks within containerized infrastructures, warranting a moderate severity rating.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
          "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
          "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-28642"
        },
        {
          "category": "external",
          "summary": "RHBZ#2182883",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2182883"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-28642",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-28642"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-28642",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28642"
        },
        {
          "category": "external",
          "summary": "https://github.com/advisories/GHSA-g2j6-57v7-gm8c",
          "url": "https://github.com/advisories/GHSA-g2j6-57v7-gm8c"
        }
      ],
      "release_date": "2023-03-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:6380"
        },
        {
          "category": "workaround",
          "details": "Avoid using an untrusted container image.",
          "product_ids": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.src",
            "AppStream-9.3.0.GA:runc-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debuginfo-4:1.1.9-1.el9.x86_64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.aarch64",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.ppc64le",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.s390x",
            "AppStream-9.3.0.GA:runc-debugsource-4:1.1.9-1.el9.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "runc: AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration"
    }
  ]
}