Vulnerability from csaf_suse
Published
2021-04-30 10:58
Modified
2021-04-30 10:58
Summary
Security update for containerd, docker, runc
Notes
Title of the patch
Security update for containerd, docker, runc
Description of the patch
This update for containerd, docker, runc fixes the following issues:
- Docker was updated to 20.10.6-ce
* Switch version to use -ce suffix rather than _ce to avoid confusing other
tools (bsc#1182476).
* CVE-2021-21284: Fixed a potential privilege escalation when the root user in
the remapped namespace has access to the host filesystem (bsc#1181732)
* CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest
crashes the dockerd daemon (bsc#1181730).
- runc was updated to v1.0.0~rc93 (bsc#1182451 and bsc#1184962).
* Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).
* Fixed /dev/null is not available (bsc#1168481).
* Fixed an issue where podman hangs when spawned by salt-minion process (bsc#1149954).
* CVE-2019-19921: Fixed a race condition with shared mounts (bsc#1160452).
* CVE-2019-16884: Fixed an LSM bypass via malicious Docker image that mount
over a /proc directory (bsc#1152308).
* CVE-2019-5736: Fixed potential write attacks to the host runc binary (bsc#1121967).
* Fixed an issue where after a kernel-update docker doesn't run (bsc#1131314 bsc#1131553)
* Ensure that we always include the version information in runc (bsc#1053532).
- Switch to Go 1.13 for build.
* CVE-2018-16873: Fixed a potential remote code execution (bsc#1118897).
* CVE-2018-16874: Fixed a directory traversal in 'go get' via curly braces
in import paths (bsc#1118898).
* CVE-2018-16875: Fixed a CPU denial of service (bsc#1118899).
* Fixed an issue with building containers (bsc#1095817).
- containerd was updated to v1.4.4
* CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).
* Handle a requirement from docker (bsc#1181594).
* Install the containerd-shim* binaries and stop creating (bsc#1183024).
* update version to the one required by docker (bsc#1034053)
- Use -buildmode=pie for tests and binary build (bsc#1048046, bsc#1051429)
- Cleanup seccomp builds similar (bsc#1028638).
- Update to handle the docker-runc removal, and drop the -kubic flavour (bsc#1181677, bsc#1181749)
Patchnames
SUSE-2021-1458,SUSE-SLE-Module-Containers-12-2021-1458
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for containerd, docker, runc", title: "Title of the patch", }, { category: "description", text: "This update for containerd, docker, runc fixes the following issues:\n\n- Docker was updated to 20.10.6-ce\n * Switch version to use -ce suffix rather than _ce to avoid confusing other\n tools (bsc#1182476).\n * CVE-2021-21284: Fixed a potential privilege escalation when the root user in \n the remapped namespace has access to the host filesystem (bsc#1181732)\n * CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest \n crashes the dockerd daemon (bsc#1181730). \n\n- runc was updated to v1.0.0~rc93 (bsc#1182451 and bsc#1184962).\n * Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821).\n * Fixed /dev/null is not available (bsc#1168481).\n * Fixed an issue where podman hangs when spawned by salt-minion process (bsc#1149954).\n * CVE-2019-19921: Fixed a race condition with shared mounts (bsc#1160452).\n * CVE-2019-16884: Fixed an LSM bypass via malicious Docker image that mount \n over a /proc directory (bsc#1152308).\n * CVE-2019-5736: Fixed potential write attacks to the host runc binary (bsc#1121967).\n * Fixed an issue where after a kernel-update docker doesn't run (bsc#1131314 bsc#1131553)\n * Ensure that we always include the version information in runc (bsc#1053532).\n \n- Switch to Go 1.13 for build.\n * CVE-2018-16873: Fixed a potential remote code execution (bsc#1118897).\n * CVE-2018-16874: Fixed a directory traversal in 'go get' via curly braces \n in import paths (bsc#1118898).\n * CVE-2018-16875: Fixed a CPU denial of service (bsc#1118899).\n * Fixed an issue with building containers (bsc#1095817).\n\n- containerd was updated to v1.4.4\n * CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397).\n * Handle a requirement from docker (bsc#1181594).\n * Install the containerd-shim* binaries and stop creating (bsc#1183024).\n * update version to the one required by docker (bsc#1034053)\n\n- Use -buildmode=pie for tests and binary build (bsc#1048046, bsc#1051429)\n- Cleanup seccomp builds similar (bsc#1028638).\n- Update to handle the docker-runc removal, and drop the -kubic flavour (bsc#1181677, bsc#1181749)\n", title: "Description of the patch", }, { category: "details", text: "SUSE-2021-1458,SUSE-SLE-Module-Containers-12-2021-1458", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2021_1458-1.json", }, { category: "self", summary: "URL for SUSE-SU-2021:1458-1", url: "https://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2021:1458-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2021-April/008717.html", }, { category: "self", summary: "SUSE Bug 1028638", url: "https://bugzilla.suse.com/1028638", }, { category: "self", summary: "SUSE Bug 1034053", url: "https://bugzilla.suse.com/1034053", }, { category: "self", summary: "SUSE Bug 1048046", url: "https://bugzilla.suse.com/1048046", }, { category: "self", summary: "SUSE Bug 1051429", url: "https://bugzilla.suse.com/1051429", }, { category: "self", summary: "SUSE Bug 1053532", url: "https://bugzilla.suse.com/1053532", }, { category: "self", summary: "SUSE Bug 1095817", url: "https://bugzilla.suse.com/1095817", }, { category: "self", summary: "SUSE Bug 1118897", url: "https://bugzilla.suse.com/1118897", }, { category: "self", summary: "SUSE Bug 1118898", url: "https://bugzilla.suse.com/1118898", }, { category: "self", summary: "SUSE Bug 1118899", url: "https://bugzilla.suse.com/1118899", }, { category: "self", summary: "SUSE Bug 1121967", url: "https://bugzilla.suse.com/1121967", }, { category: "self", summary: "SUSE Bug 1131314", url: "https://bugzilla.suse.com/1131314", }, { category: "self", summary: "SUSE Bug 1131553", url: "https://bugzilla.suse.com/1131553", }, { category: "self", summary: "SUSE Bug 1149954", url: "https://bugzilla.suse.com/1149954", }, { category: "self", summary: "SUSE Bug 1152308", url: "https://bugzilla.suse.com/1152308", }, { category: "self", summary: "SUSE Bug 1160452", url: "https://bugzilla.suse.com/1160452", }, { category: "self", summary: "SUSE Bug 1168481", url: "https://bugzilla.suse.com/1168481", }, { category: "self", summary: "SUSE Bug 1175081", url: "https://bugzilla.suse.com/1175081", }, { category: "self", summary: "SUSE Bug 1175821", url: "https://bugzilla.suse.com/1175821", }, { category: "self", summary: "SUSE Bug 1181594", url: "https://bugzilla.suse.com/1181594", }, { category: "self", summary: "SUSE Bug 1181641", url: "https://bugzilla.suse.com/1181641", }, { category: "self", summary: "SUSE Bug 1181677", url: "https://bugzilla.suse.com/1181677", }, { category: "self", summary: "SUSE Bug 1181730", url: "https://bugzilla.suse.com/1181730", }, { category: "self", summary: "SUSE Bug 1181732", url: "https://bugzilla.suse.com/1181732", }, { category: "self", summary: "SUSE Bug 1181749", url: "https://bugzilla.suse.com/1181749", }, { category: "self", summary: "SUSE Bug 1182451", url: "https://bugzilla.suse.com/1182451", }, { category: "self", summary: "SUSE Bug 1182476", url: "https://bugzilla.suse.com/1182476", }, { category: "self", summary: "SUSE Bug 1182947", url: "https://bugzilla.suse.com/1182947", }, { category: "self", summary: "SUSE Bug 1183024", url: "https://bugzilla.suse.com/1183024", }, { category: "self", summary: "SUSE Bug 1183397", url: "https://bugzilla.suse.com/1183397", }, { category: "self", summary: "SUSE Bug 1183855", url: "https://bugzilla.suse.com/1183855", }, { category: "self", summary: "SUSE Bug 1184768", url: "https://bugzilla.suse.com/1184768", }, { category: "self", summary: "SUSE Bug 1184962", url: "https://bugzilla.suse.com/1184962", }, { category: "self", summary: "SUSE CVE CVE-2018-16873 page", url: "https://www.suse.com/security/cve/CVE-2018-16873/", }, { category: "self", summary: "SUSE CVE CVE-2018-16874 page", url: "https://www.suse.com/security/cve/CVE-2018-16874/", }, { category: "self", summary: "SUSE CVE CVE-2018-16875 page", url: "https://www.suse.com/security/cve/CVE-2018-16875/", }, { category: "self", summary: "SUSE CVE CVE-2019-16884 page", url: "https://www.suse.com/security/cve/CVE-2019-16884/", }, { category: "self", summary: "SUSE CVE CVE-2019-19921 page", url: "https://www.suse.com/security/cve/CVE-2019-19921/", }, { category: "self", summary: "SUSE CVE CVE-2019-5736 page", url: "https://www.suse.com/security/cve/CVE-2019-5736/", }, { category: "self", summary: "SUSE CVE CVE-2021-21284 page", url: "https://www.suse.com/security/cve/CVE-2021-21284/", }, { category: "self", summary: "SUSE CVE CVE-2021-21285 page", url: "https://www.suse.com/security/cve/CVE-2021-21285/", }, { category: "self", summary: "SUSE CVE CVE-2021-21334 page", url: "https://www.suse.com/security/cve/CVE-2021-21334/", }, ], title: "Security update for containerd, docker, runc", tracking: { current_release_date: "2021-04-30T10:58:51Z", generator: { date: "2021-04-30T10:58:51Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2021:1458-1", initial_release_date: "2021-04-30T10:58:51Z", revision_history: [ { date: "2021-04-30T10:58:51Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "containerd-1.4.4-16.38.1.aarch64", product: { name: "containerd-1.4.4-16.38.1.aarch64", product_id: "containerd-1.4.4-16.38.1.aarch64", }, }, { category: "product_version", name: "containerd-ctr-1.4.4-16.38.1.aarch64", product: { name: "containerd-ctr-1.4.4-16.38.1.aarch64", product_id: "containerd-ctr-1.4.4-16.38.1.aarch64", }, }, { category: "product_version", name: "docker-20.10.6_ce-98.66.1.aarch64", product: { name: "docker-20.10.6_ce-98.66.1.aarch64", product_id: "docker-20.10.6_ce-98.66.1.aarch64", }, }, { category: "product_version", name: "docker-kubic-20.10.6_ce-98.66.1.aarch64", product: { name: "docker-kubic-20.10.6_ce-98.66.1.aarch64", product_id: "docker-kubic-20.10.6_ce-98.66.1.aarch64", }, }, { category: "product_version", name: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.aarch64", product: { name: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.aarch64", product_id: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.aarch64", }, }, { category: "product_version", name: "runc-1.0.0~rc93-16.8.1.aarch64", product: { name: "runc-1.0.0~rc93-16.8.1.aarch64", product_id: "runc-1.0.0~rc93-16.8.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "containerd-1.4.4-16.38.1.i586", product: { name: "containerd-1.4.4-16.38.1.i586", product_id: "containerd-1.4.4-16.38.1.i586", }, }, { category: "product_version", name: "containerd-ctr-1.4.4-16.38.1.i586", product: { name: "containerd-ctr-1.4.4-16.38.1.i586", product_id: "containerd-ctr-1.4.4-16.38.1.i586", }, }, { category: "product_version", name: "docker-20.10.6_ce-98.66.1.i586", product: { name: "docker-20.10.6_ce-98.66.1.i586", product_id: "docker-20.10.6_ce-98.66.1.i586", }, }, { category: "product_version", name: "runc-1.0.0~rc93-16.8.1.i586", product: { name: "runc-1.0.0~rc93-16.8.1.i586", product_id: "runc-1.0.0~rc93-16.8.1.i586", }, }, ], category: "architecture", name: "i586", }, { branches: [ { category: "product_version", name: "docker-bash-completion-20.10.6_ce-98.66.1.noarch", product: { name: "docker-bash-completion-20.10.6_ce-98.66.1.noarch", product_id: "docker-bash-completion-20.10.6_ce-98.66.1.noarch", }, }, { category: "product_version", name: "docker-fish-completion-20.10.6_ce-98.66.1.noarch", product: { name: "docker-fish-completion-20.10.6_ce-98.66.1.noarch", product_id: "docker-fish-completion-20.10.6_ce-98.66.1.noarch", }, }, { category: "product_version", name: "docker-kubic-bash-completion-20.10.6_ce-98.66.1.noarch", product: { name: "docker-kubic-bash-completion-20.10.6_ce-98.66.1.noarch", product_id: "docker-kubic-bash-completion-20.10.6_ce-98.66.1.noarch", }, }, { category: "product_version", name: "docker-kubic-fish-completion-20.10.6_ce-98.66.1.noarch", product: { name: "docker-kubic-fish-completion-20.10.6_ce-98.66.1.noarch", product_id: "docker-kubic-fish-completion-20.10.6_ce-98.66.1.noarch", }, }, { category: "product_version", name: "docker-kubic-zsh-completion-20.10.6_ce-98.66.1.noarch", product: { name: "docker-kubic-zsh-completion-20.10.6_ce-98.66.1.noarch", product_id: "docker-kubic-zsh-completion-20.10.6_ce-98.66.1.noarch", }, }, { category: "product_version", name: "docker-zsh-completion-20.10.6_ce-98.66.1.noarch", product: { name: "docker-zsh-completion-20.10.6_ce-98.66.1.noarch", product_id: "docker-zsh-completion-20.10.6_ce-98.66.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "containerd-1.4.4-16.38.1.ppc64le", product: { name: "containerd-1.4.4-16.38.1.ppc64le", product_id: "containerd-1.4.4-16.38.1.ppc64le", }, }, { category: "product_version", name: "containerd-ctr-1.4.4-16.38.1.ppc64le", product: { name: "containerd-ctr-1.4.4-16.38.1.ppc64le", product_id: "containerd-ctr-1.4.4-16.38.1.ppc64le", }, }, { category: "product_version", name: "docker-20.10.6_ce-98.66.1.ppc64le", product: { name: "docker-20.10.6_ce-98.66.1.ppc64le", product_id: "docker-20.10.6_ce-98.66.1.ppc64le", }, }, { category: "product_version", name: "docker-kubic-20.10.6_ce-98.66.1.ppc64le", product: { name: "docker-kubic-20.10.6_ce-98.66.1.ppc64le", product_id: "docker-kubic-20.10.6_ce-98.66.1.ppc64le", }, }, { category: "product_version", name: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.ppc64le", product: { name: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.ppc64le", product_id: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.ppc64le", }, }, { category: "product_version", name: "runc-1.0.0~rc93-16.8.1.ppc64le", product: { name: "runc-1.0.0~rc93-16.8.1.ppc64le", product_id: "runc-1.0.0~rc93-16.8.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "containerd-1.4.4-16.38.1.s390x", product: { name: "containerd-1.4.4-16.38.1.s390x", product_id: "containerd-1.4.4-16.38.1.s390x", }, }, { category: "product_version", name: "containerd-ctr-1.4.4-16.38.1.s390x", product: { name: "containerd-ctr-1.4.4-16.38.1.s390x", product_id: "containerd-ctr-1.4.4-16.38.1.s390x", }, }, { category: "product_version", name: "docker-20.10.6_ce-98.66.1.s390x", product: { name: "docker-20.10.6_ce-98.66.1.s390x", product_id: "docker-20.10.6_ce-98.66.1.s390x", }, }, { category: "product_version", name: "docker-kubic-20.10.6_ce-98.66.1.s390x", product: { name: "docker-kubic-20.10.6_ce-98.66.1.s390x", product_id: "docker-kubic-20.10.6_ce-98.66.1.s390x", }, }, { category: "product_version", name: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.s390x", product: { name: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.s390x", product_id: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.s390x", }, }, { category: "product_version", name: "runc-1.0.0~rc93-16.8.1.s390x", product: { name: "runc-1.0.0~rc93-16.8.1.s390x", product_id: "runc-1.0.0~rc93-16.8.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "containerd-1.4.4-16.38.1.x86_64", product: { name: "containerd-1.4.4-16.38.1.x86_64", product_id: "containerd-1.4.4-16.38.1.x86_64", }, }, { category: "product_version", name: "containerd-ctr-1.4.4-16.38.1.x86_64", product: { name: "containerd-ctr-1.4.4-16.38.1.x86_64", product_id: "containerd-ctr-1.4.4-16.38.1.x86_64", }, }, { category: "product_version", name: "docker-20.10.6_ce-98.66.1.x86_64", product: { name: "docker-20.10.6_ce-98.66.1.x86_64", product_id: "docker-20.10.6_ce-98.66.1.x86_64", }, }, { category: "product_version", name: "docker-kubic-20.10.6_ce-98.66.1.x86_64", product: { name: "docker-kubic-20.10.6_ce-98.66.1.x86_64", product_id: "docker-kubic-20.10.6_ce-98.66.1.x86_64", }, }, { category: "product_version", name: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.x86_64", product: { name: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.x86_64", product_id: "docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1.x86_64", }, }, { category: "product_version", name: "runc-1.0.0~rc93-16.8.1.x86_64", product: { name: "runc-1.0.0~rc93-16.8.1.x86_64", product_id: "runc-1.0.0~rc93-16.8.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE Linux Enterprise Module for Containers 12", product: { name: "SUSE Linux Enterprise Module for Containers 12", product_id: "SUSE Linux Enterprise Module for Containers 12", product_identification_helper: { cpe: "cpe:/o:suse:sle-module-containers:12", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "containerd-1.4.4-16.38.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 12", product_id: "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", }, product_reference: "containerd-1.4.4-16.38.1.ppc64le", relates_to_product_reference: "SUSE Linux Enterprise Module for Containers 12", }, { category: "default_component_of", full_product_name: { name: "containerd-1.4.4-16.38.1.s390x as component of SUSE Linux Enterprise Module for Containers 12", product_id: "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", }, product_reference: "containerd-1.4.4-16.38.1.s390x", relates_to_product_reference: "SUSE Linux Enterprise Module for Containers 12", }, { category: "default_component_of", full_product_name: { name: "containerd-1.4.4-16.38.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 12", product_id: "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", }, product_reference: "containerd-1.4.4-16.38.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Containers 12", }, { category: "default_component_of", full_product_name: { name: "docker-20.10.6_ce-98.66.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 12", product_id: "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", }, product_reference: "docker-20.10.6_ce-98.66.1.ppc64le", relates_to_product_reference: "SUSE Linux Enterprise Module for Containers 12", }, { category: "default_component_of", full_product_name: { name: "docker-20.10.6_ce-98.66.1.s390x as component of SUSE Linux Enterprise Module for Containers 12", product_id: "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", }, product_reference: "docker-20.10.6_ce-98.66.1.s390x", relates_to_product_reference: "SUSE Linux Enterprise Module for Containers 12", }, { category: "default_component_of", full_product_name: { name: "docker-20.10.6_ce-98.66.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 12", product_id: "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", }, product_reference: "docker-20.10.6_ce-98.66.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Containers 12", }, { category: "default_component_of", full_product_name: { name: "runc-1.0.0~rc93-16.8.1.ppc64le as component of SUSE Linux Enterprise Module for Containers 12", product_id: "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", }, product_reference: "runc-1.0.0~rc93-16.8.1.ppc64le", relates_to_product_reference: "SUSE Linux Enterprise Module for Containers 12", }, { category: "default_component_of", full_product_name: { name: "runc-1.0.0~rc93-16.8.1.s390x as component of SUSE Linux Enterprise Module for Containers 12", product_id: "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", }, product_reference: "runc-1.0.0~rc93-16.8.1.s390x", relates_to_product_reference: "SUSE Linux Enterprise Module for Containers 12", }, { category: "default_component_of", full_product_name: { name: "runc-1.0.0~rc93-16.8.1.x86_64 as component of SUSE Linux Enterprise Module for Containers 12", product_id: "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", }, product_reference: "runc-1.0.0~rc93-16.8.1.x86_64", relates_to_product_reference: "SUSE Linux Enterprise Module for Containers 12", }, ], }, vulnerabilities: [ { cve: "CVE-2018-16873", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-16873", }, ], notes: [ { category: "general", text: "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named \".git\" by using a vanity import path that ends with \"/.git\". If the Git repository root contains a \"HEAD\" file, a \"config\" file, an \"objects\" directory, a \"refs\" directory, with some work to ensure the proper ordering of operations, \"go get -u\" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the \"config\" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running \"go get -u\".", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-16873", url: "https://www.suse.com/security/cve/CVE-2018-16873", }, { category: "external", summary: "SUSE Bug 1118897 for CVE-2018-16873", url: "https://bugzilla.suse.com/1118897", }, { category: "external", summary: "SUSE Bug 1118898 for CVE-2018-16873", url: "https://bugzilla.suse.com/1118898", }, { category: "external", summary: "SUSE Bug 1118899 for CVE-2018-16873", url: "https://bugzilla.suse.com/1118899", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-04-30T10:58:51Z", details: "important", }, ], title: "CVE-2018-16873", }, { cve: "CVE-2018-16874", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-16874", }, ], notes: [ { category: "general", text: "In Go before 1.10.6 and 1.11.x before 1.11.3, the \"go get\" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-16874", url: "https://www.suse.com/security/cve/CVE-2018-16874", }, { category: "external", summary: "SUSE Bug 1118897 for CVE-2018-16874", url: "https://bugzilla.suse.com/1118897", }, { category: "external", summary: "SUSE Bug 1118898 for CVE-2018-16874", url: "https://bugzilla.suse.com/1118898", }, { category: "external", summary: "SUSE Bug 1118899 for CVE-2018-16874", url: "https://bugzilla.suse.com/1118899", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.8, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-04-30T10:58:51Z", details: "moderate", }, ], title: "CVE-2018-16874", }, { cve: "CVE-2018-16875", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2018-16875", }, ], notes: [ { category: "general", text: "The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2018-16875", url: "https://www.suse.com/security/cve/CVE-2018-16875", }, { category: "external", summary: "SUSE Bug 1118897 for CVE-2018-16875", url: "https://bugzilla.suse.com/1118897", }, { category: "external", summary: "SUSE Bug 1118898 for CVE-2018-16875", url: "https://bugzilla.suse.com/1118898", }, { category: "external", summary: "SUSE Bug 1118899 for CVE-2018-16875", url: "https://bugzilla.suse.com/1118899", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.9, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-04-30T10:58:51Z", details: "moderate", }, ], title: "CVE-2018-16875", }, { cve: "CVE-2019-16884", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-16884", }, ], notes: [ { category: "general", text: "runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-16884", url: "https://www.suse.com/security/cve/CVE-2019-16884", }, { category: "external", summary: "SUSE Bug 1152308 for CVE-2019-16884", url: "https://bugzilla.suse.com/1152308", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-04-30T10:58:51Z", details: "moderate", }, ], title: "CVE-2019-16884", }, { cve: "CVE-2019-19921", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-19921", }, ], notes: [ { category: "general", text: "runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-19921", url: "https://www.suse.com/security/cve/CVE-2019-19921", }, { category: "external", summary: "SUSE Bug 1160452 for CVE-2019-19921", url: "https://bugzilla.suse.com/1160452", }, { category: "external", summary: "SUSE Bug 1208962 for CVE-2019-19921", url: "https://bugzilla.suse.com/1208962", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-04-30T10:58:51Z", details: "moderate", }, ], title: "CVE-2019-19921", }, { cve: "CVE-2019-5736", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2019-5736", }, ], notes: [ { category: "general", text: "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2019-5736", url: "https://www.suse.com/security/cve/CVE-2019-5736", }, { category: "external", summary: "SUSE Bug 1121967 for CVE-2019-5736", url: "https://bugzilla.suse.com/1121967", }, { category: "external", summary: "SUSE Bug 1122185 for CVE-2019-5736", url: "https://bugzilla.suse.com/1122185", }, { category: "external", summary: "SUSE Bug 1173421 for CVE-2019-5736", url: "https://bugzilla.suse.com/1173421", }, { category: "external", summary: "SUSE Bug 1218894 for CVE-2019-5736", url: "https://bugzilla.suse.com/1218894", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-04-30T10:58:51Z", details: "important", }, ], title: "CVE-2019-5736", }, { cve: "CVE-2021-21284", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21284", }, ], notes: [ { category: "general", text: "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using \"--userns-remap\", if the root user in the remapped namespace has access to the host filesystem they can modify files under \"/var/lib/docker/<remapping>\" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21284", url: "https://www.suse.com/security/cve/CVE-2021-21284", }, { category: "external", summary: "SUSE Bug 1181732 for CVE-2021-21284", url: "https://bugzilla.suse.com/1181732", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 2.5, baseSeverity: "LOW", vectorString: "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-04-30T10:58:51Z", details: "low", }, ], title: "CVE-2021-21284", }, { cve: "CVE-2021-21285", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21285", }, ], notes: [ { category: "general", text: "In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21285", url: "https://www.suse.com/security/cve/CVE-2021-21285", }, { category: "external", summary: "SUSE Bug 1181730 for CVE-2021-21285", url: "https://bugzilla.suse.com/1181730", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-04-30T10:58:51Z", details: "moderate", }, ], title: "CVE-2021-21285", }, { cve: "CVE-2021-21334", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-21334", }, ], notes: [ { category: "general", text: "In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-21334", url: "https://www.suse.com/security/cve/CVE-2021-21334", }, { category: "external", summary: "SUSE Bug 1183397 for CVE-2021-21334", url: "https://bugzilla.suse.com/1183397", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 6.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", version: "3.1", }, products: [ "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.s390x", "SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.s390x", "SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1.x86_64", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.ppc64le", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.s390x", "SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2021-04-30T10:58:51Z", details: "moderate", }, ], title: "CVE-2021-21334", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.