CVE-2022-0071 Hotdog did not replicate the JVM process resource limits, device restrictions, or syscall filters.

CVE-2022-0071 Hotdog did not replicate the JVM process resource limits, device restrictions, or syscall filters.

This issue was addressed with the release of v1.0.3. Hotdog now limits the number of processes per container, restricts the ability to modify host devices, and prevents syscalls that would otherwise be blocked. CVE-2021-3103. Prior to v1.0.1, Hotdog would not properly handle an invalid LD_LIBRARY_PATH environment variable. This could allow a container to load a library outside the expected path and with invalid permissions. This issue was addressed with the release of v1.0.2.

CVE-2021-3106. Prior to v1.0.2, Hotdog did not properly validate the underlying JVM process. This would allow a container to spawn an arbitrary JVM process with the specified name. This issue was addressed with the release of v1.0.3. Hotdog now validates the JVM process and rejects invalid names.

Updates for v2.0.0

Hotdog v2.0.0 includes new features and improvements that help with security and stability concerns. These changes include:

- Process Limits: Hotdog will now limit the number of processes per container to 8, restrict the ability to modify host devices, and prevent syscalls that would otherwise be blocked.
- LD_LIBRARY_PATH Validation: Hotdog will now properly handle an invalid LD_LIBRARY_PATH environment variable.
- JVM Validation: Hotdog will now validate the underlying JVM process and reject invalid names.

Updates to the Cloud Controller Runtime

The following vulnerabilities have been addressed with the release of v1.0.3:
- CVE-2010-5688: SOCKS Proxy Service Privilege Escalation
- CVE-2016-4452: Privilege Escalation via Ldap Distributed Mode
- CVE-2016-1755: Privilege Escalation via LDAP Distributed Mode

CVE-2010-5688: SOCKS Proxy Service Privilege Escalation
Prior to v1.0.3, Hotdog would not properly handle a malformed request to the SOCKS proxy service. This was addressed with the release of v1.0.3 which now validates these requests and rejects invalid requests.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe