CVE-2023-28642

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2023-28642

Severity

6.1

Medium

CVSS V3

Summary

AppArmor bypass with symlinked /proc in runc

Description

runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when /proc inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked /proc. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.

References

https://images.chainguard.dev/security/CGA-jj6c-2jwp-vgq7
https://github.com/advisories/GHSA-g2j6-57v7-gm8c
https://images.chainguard.dev/security/CGA-hqm9-wq7w-hpgg
https://images.chainguard.dev/security/CGA-959m-f2hx-94gg
https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/28xxx/CVE-2023-28642.json
https://github.com/opencontainers/runc/pull/3785
https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c
https://nvd.nist.gov/vuln/detail/CVE-2023-28642
https://security.netapp.com/advisory/ntap-20241206-0005/

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2023-28642

Severity

Summary

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company