As a result of these changes, programs running in containers using runc 1.1.2 or later are subject to the same security sandbox policies as before this bug was discovered. To update your runc installation, simply run: $ runc upgrade This will install a new version and upgrade your existing installation.

How to update to a fix for CVE-2022 -29162


As a result of these changes, programs running in containers using runc 1.1.2 or later are subject to the same security sandbox policies as before this bug was discovered. To update your runc installation, simply run: $ runc upgrade This will install a new version and uprade your existing installation.

Runc 1.1.1 CVE-2022-29162

This security update fixes a newly discovered bug in runc 1.1.2 which, as a result of changes to the Linux security sandbox policy, programs running in containers using runc 1.1.2 or later are subject to the same security sandbox policies as before this bug was discovered.

Runc Security Sandbox Policy

The Runc security sandbox policy was designed to keep programs from accessing and modifying the host system. The default security sandbox policy is as follows:
- runc will allow any user to run anything as root
- all other users will only be allowed to use their own set of utilities (such as telnet, ssh, etc.)
- all other users will be required to authenticate with a password when they use these utilities
- the nologin utility is disabled by default in both containers and privileged mode

RunC 1.1.2 and CVE-2022-29162

Though you should update your runc installation to fix this issue, it's not the only thing you need to be aware of. The version of runc released on October 31st will also be tagged as CVE-2020-29162.

The change made to runc 1.1.2 was that it changed its behavior when handling shared memory from previous versions of the tool. In order to apply the patch for CVE-2020-29162, please follow these instructions: $ runc upgrade To update your runc installation, simply run: $ sudo apt install -y libseccomp2 libseccomp0 && ./configure --enable-libseccomp && make && sudo make install

Timeline

Published on: 05/17/2022 21:15:00 UTC
Last modified on: 06/02/2022 14:15:00 UTC

References