Rocky Linux 8 : container-tools:rhel8 (RLSA-2022:7457)

high Nessus Plugin ID 171546


The remote Rocky Linux host is missing one or more security updates.


The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:7457 advisory.

- runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file. (CVE-2022-29162)

- Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. (CVE-2021-36221)

- The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both manifests and layers fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both manifests and layers fields or manifests and config fields if they are unable to update to version 1.0.1 of the spec. (CVE-2021-41190)

- A vulnerability was found in CRI-O that causes memory or disk space exhaustion on the node for anyone with access to the Kube API. The ExecSync request runs commands in a container and logs the output of the command. This output is then read by CRI-O after command execution, and it is read in a manner where the entire file corresponding to the output of the command is read in. Thus, if the output of the command is large it is possible to exhaust the memory or the disk space of the node when CRI-O reads the output of the command. The highest threat from this vulnerability is system availability. (CVE-2022-1708)

- An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container. (CVE-2022-2990)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.


Update the affected packages.

See Also

Plugin Details

Severity: High

ID: 171546

File Name: rocky_linux_RLSA-2022-7457.nasl

Version: 1.5

Type: local

Published: 2/16/2023

Updated: 9/4/2023

Supported Sensors: Nessus

Risk Information


Risk Factor: Medium

Score: 6.7


Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-29162


Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:rocky:linux:python3-criu, p-cpe:/a:rocky:linux:runc, p-cpe:/a:rocky:linux:runc-debuginfo, p-cpe:/a:rocky:linux:runc-debugsource, p-cpe:/a:rocky:linux:slirp4netns, p-cpe:/a:rocky:linux:slirp4netns-debuginfo, p-cpe:/a:rocky:linux:slirp4netns-debugsource, p-cpe:/a:rocky:linux:toolbox, p-cpe:/a:rocky:linux:toolbox-debuginfo, p-cpe:/a:rocky:linux:toolbox-debugsource, p-cpe:/a:rocky:linux:toolbox-tests, p-cpe:/a:rocky:linux:udica, cpe:/o:rocky:linux:8, p-cpe:/a:rocky:linux:cockpit-podman, p-cpe:/a:rocky:linux:conmon, p-cpe:/a:rocky:linux:conmon-debuginfo, p-cpe:/a:rocky:linux:conmon-debugsource, p-cpe:/a:rocky:linux:container-selinux, p-cpe:/a:rocky:linux:containernetworking-plugins, p-cpe:/a:rocky:linux:containernetworking-plugins-debuginfo, p-cpe:/a:rocky:linux:containernetworking-plugins-debugsource, p-cpe:/a:rocky:linux:crit, p-cpe:/a:rocky:linux:criu, p-cpe:/a:rocky:linux:criu-debuginfo, p-cpe:/a:rocky:linux:criu-debugsource, p-cpe:/a:rocky:linux:criu-devel, p-cpe:/a:rocky:linux:criu-libs, p-cpe:/a:rocky:linux:criu-libs-debuginfo, p-cpe:/a:rocky:linux:crun, p-cpe:/a:rocky:linux:crun-debuginfo, p-cpe:/a:rocky:linux:crun-debugsource, p-cpe:/a:rocky:linux:fuse-overlayfs, p-cpe:/a:rocky:linux:fuse-overlayfs-debuginfo, p-cpe:/a:rocky:linux:fuse-overlayfs-debugsource, p-cpe:/a:rocky:linux:libslirp, p-cpe:/a:rocky:linux:libslirp-debuginfo, p-cpe:/a:rocky:linux:libslirp-debugsource, p-cpe:/a:rocky:linux:libslirp-devel, p-cpe:/a:rocky:linux:oci-seccomp-bpf-hook, p-cpe:/a:rocky:linux:oci-seccomp-bpf-hook-debuginfo, p-cpe:/a:rocky:linux:oci-seccomp-bpf-hook-debugsource

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/RockyLinux/release, Host/RockyLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/8/2022

Vulnerability Publication Date: 11/8/2022

Reference Information

CVE: CVE-2021-36221, CVE-2021-41190, CVE-2022-1708, CVE-2022-27191, CVE-2022-29162, CVE-2022-2990