CVE-2023-25809: Improper Preservation of Permissions
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes /sys/fs/cgroup
writable in following conditons: 1. when runc is executed inside the user namespace, and the config.json
does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host
, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and /sys
is mounted with rbind, ro
(e.g., runc spec --rootless
; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/...
on the host . Other user’s cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private)
. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add /sys/fs/cgroup
to maskedPaths
.
References
Detect and mitigate CVE-2023-25809 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →