runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when /proc inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked /proc. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Runc | Linuxfoundation | * | 1.1.5 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | container-tools:4.0-8090020230828093056.e7857ab1 | * |
| Red Hat Enterprise Linux 8 | RedHat | container-tools:rhel8-8090020230825121312.e7857ab1 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | container-tools:3.0-8040020240104111259.c0c392d5 | * |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | RedHat | container-tools:3.0-8040020240104111259.c0c392d5 | * |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | RedHat | container-tools:3.0-8040020240104111259.c0c392d5 | * |
| Red Hat Enterprise Linux 9 | RedHat | runc-4:1.1.9-1.el9 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/ose-vsphere-csi-driver-syncer-rhel8:v4.13.0-202304190216.p0.g6f4295b.assembly.stream | * |
| Runc | Ubuntu | bionic | * |
| Runc | Ubuntu | devel | * |
| Runc | Ubuntu | esm-apps/xenial | * |
| Runc | Ubuntu | focal | * |
| Runc | Ubuntu | jammy | * |
| Runc | Ubuntu | kinetic | * |
| Runc | Ubuntu | lunar | * |
| Runc | Ubuntu | trusty | * |
| Runc | Ubuntu | upstream | * |
| Runc | Ubuntu | xenial | * |