runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes /sys/fs/cgroup writable in following conditons: 1. when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... on the host . Other userss cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add /sys/fs/cgroup to maskedPaths.
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Runc | Linuxfoundation | * | 1.1.5 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | container-tools:4.0-8090020230828093056.e7857ab1 | * |
| Red Hat Enterprise Linux 8 | RedHat | container-tools:rhel8-8090020230825121312.e7857ab1 | * |
| Red Hat Enterprise Linux 9 | RedHat | runc-4:1.1.9-1.el9 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/ose-vsphere-csi-driver-syncer-rhel8:v4.13.0-202304190216.p0.g6f4295b.assembly.stream | * |
| Runc | Ubuntu | bionic | * |
| Runc | Ubuntu | devel | * |
| Runc | Ubuntu | esm-apps/xenial | * |
| Runc | Ubuntu | focal | * |
| Runc | Ubuntu | jammy | * |
| Runc | Ubuntu | kinetic | * |
| Runc | Ubuntu | lunar | * |
| Runc | Ubuntu | trusty | * |
| Runc | Ubuntu | upstream | * |
| Runc | Ubuntu | xenial | * |