runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when /proc inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked /proc. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Runc | Linuxfoundation | * | 1.1.5 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | container-tools:4.0-8090020230828093056.e7857ab1 | * |
| Red Hat Enterprise Linux 8 | RedHat | container-tools:rhel8-8090020230825121312.e7857ab1 | * |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | RedHat | container-tools:3.0-8040020240104111259.c0c392d5 | * |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | RedHat | container-tools:3.0-8040020240104111259.c0c392d5 | * |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | RedHat | container-tools:3.0-8040020240104111259.c0c392d5 | * |
| Red Hat Enterprise Linux 9 | RedHat | runc-4:1.1.9-1.el9 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | openshift4/ose-vsphere-csi-driver-syncer-rhel8:v4.13.0-202304190216.p0.g6f4295b.assembly.stream | * |
| Runc | Ubuntu | bionic | * |
| Runc | Ubuntu | devel | * |
| Runc | Ubuntu | esm-apps/xenial | * |
| Runc | Ubuntu | focal | * |
| Runc | Ubuntu | jammy | * |
| Runc | Ubuntu | kinetic | * |
| Runc | Ubuntu | lunar | * |
| Runc | Ubuntu | trusty | * |
| Runc | Ubuntu | upstream | * |
| Runc | Ubuntu | xenial | * |