Oracle Linux: CVE-2023-27561: ELSA-2023-6380: runc security update (MODERATE) (Multiple Advisories)

Oracle Linux: CVE-2023-27561: ELSA-2023-6380:runc security update (MODERATE) (Multiple Advisories)

Severity

6

CVSS

(AV:L/AC:H/Au:S/C:C/I:C/A:C)

Published

02/20/2023

Created

07/21/2023

Added

07/20/2023

Modified

01/07/2025

Description

runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume.

Solution(s)

• oracle-linux-upgrade-aardvark-dns
• oracle-linux-upgrade-buildah
• oracle-linux-upgrade-buildah-tests
• oracle-linux-upgrade-cockpit-podman
• oracle-linux-upgrade-conmon
• oracle-linux-upgrade-containernetworking-plugins
• oracle-linux-upgrade-containers-common
• oracle-linux-upgrade-container-selinux
• oracle-linux-upgrade-crit
• oracle-linux-upgrade-criu
• oracle-linux-upgrade-criu-devel
• oracle-linux-upgrade-criu-libs
• oracle-linux-upgrade-crun
• oracle-linux-upgrade-fuse-overlayfs
• oracle-linux-upgrade-libslirp
• oracle-linux-upgrade-libslirp-devel
• oracle-linux-upgrade-netavark
• oracle-linux-upgrade-oci-seccomp-bpf-hook
• oracle-linux-upgrade-podman
• oracle-linux-upgrade-podman-catatonit
• oracle-linux-upgrade-podman-docker
• oracle-linux-upgrade-podman-gvproxy
• oracle-linux-upgrade-podman-plugins
• oracle-linux-upgrade-podman-remote
• oracle-linux-upgrade-podman-tests
• oracle-linux-upgrade-python3-criu
• oracle-linux-upgrade-python3-podman
• oracle-linux-upgrade-runc
• oracle-linux-upgrade-skopeo
• oracle-linux-upgrade-skopeo-tests
• oracle-linux-upgrade-slirp4netns
• oracle-linux-upgrade-udica

References

• https://attackerkb.com/topics/cve-2023-27561
• CVE - 2023-27561
• ELSA-2023-6380
• ELSA-2023-6938
• ELSA-2023-12579
• ELSA-2023-12578
• ELSA-2023-6939