![]() ![]() Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This bug has been fixed in Moby (Docker Engine) 20.10.14. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Moby is an open-source project created by Docker to enable and accelerate software containerization. ![]() The fixed software versions are available through the customer support portal. Proofpoint has released fixed software version 7.12.1. Agents for MacOS and Linux and Cloud are unaffected. ![]() All versions prior to 7.12.1 are affected. Proofpoint Insider Threat Management Agent for Windows relies on an inherently dangerous function that could enable an unprivileged local Windows user to run arbitrary code with SYSTEM privileges. Net/netfilter/nf_dup_netdev.c in the Linux kernel 5.4 through 5.6.10 allows local users to gain privileges because of a heap out-of-bounds write. This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat. ![]() A heap buffer overflow flaw was found in IPsec ESP transformation code in net/ipv4/esp4.c and net/ipv6/esp6.c. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |