A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.

The remote host is affected by the vulnerability described in GLSA-202407-12 (podman: Multiple Vulnerabilities)

    Please review the referenced CVE identifiers for details.

Tenable has extracted the preceding description block directly from the Gentoo Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:23018-1 advisory.

  - An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When     using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in     a short duration, the environment variables from the first container will get leaked into subsequent     containers. An attacker who has control over the subsequent containers could use this flaw to gain access     to sensitive information stored in such variables. (CVE-2020-14370)

  - In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking     vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format     includes a URL for the location of a specific image layer (otherwise known as a foreign layer), the     default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or     later, the default containerd resolver will provide its authentication credentials if the server where the     URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker     publishes a public image with a manifest that directs one of the layers to be fetched from a web server     they control and they trick a user or system into pulling the image, they can obtain the credentials used     for pulling that image. In some cases, this may be the user's username and password for the registry. In     other cases, this may be the credentials attached to the cloud virtual instance which can grant access to     other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin     (which can be used by Kubernetes), the ctr development tool, and other client programs that have     explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and     later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using     cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources.
    Other container runtimes built on top of containerd but not using the default resolver (such as Docker)     are not affected. (CVE-2020-15157)

  - Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including     from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by     default and do not require authentication. This issue affects Podman 1.8.0 onwards. (CVE-2021-20199)

  - A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a     container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid     `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits     for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a     malicious image, which when downloaded and stored by an application using containers/storage, would then     cause a deadlock leading to a Denial of Service (DoS). (CVE-2021-20291)

  - An information disclosure flaw was found in Buildah, when building containers using chroot isolation.
    Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from     parent and grandparent processes. When run in a container in a CI/CD environment, environment variables     may include sensitive information that was shared with the container in order to be used only by Buildah     itself (e.g. container registry credentials). (CVE-2021-3602)

  - A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual     machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is     accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an     attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making     private services on the VM accessible to the network. This issue could be also used to interrupt the     host's services by forwarding all ports to the VM. (CVE-2021-4024)

  - The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution     of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone     was used to determine the type of document during push and pull operations. Documents that contain both     manifests and layers fields could be interpreted as either a manifest or an index in the absence of an     accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a     client may interpret the resulting content differently. The OCI Distribution Specification has been     updated to require that a mediaType value present in a manifest or index match the Content-Type header     used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type     header and reject an ambiguous document that contains both manifests and layers fields or manifests     and config fields if they are unable to update to version 1.0.1 of the spec. (CVE-2021-41190)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0326-1 advisory.

  - Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including     from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by     default and do not require authentication. This issue affects Podman 1.8.0 onwards. (CVE-2021-20199)

  - An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1.
    When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use     special elements such as ../ separators to reference binaries elsewhere on the system. This flaw allows     an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The     highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
    (CVE-2021-20206)

  - A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual     machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is     accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an     attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making     private services on the VM accessible to the network. This issue could be also used to interrupt the     host's services by forwarding all ports to the VM. (CVE-2021-4024)

  - The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution     of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone     was used to determine the type of document during push and pull operations. Documents that contain both     manifests and layers fields could be interpreted as either a manifest or an index in the absence of an     accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a     client may interpret the resulting content differently. The OCI Distribution Specification has been     updated to require that a mediaType value present in a manifest or index match the Content-Type header     used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type     header and reject an ambiguous document that contains both manifests and layers fields or manifests     and config fields if they are unable to update to version 1.0.1 of the spec. (CVE-2021-41190)

  - A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions.
    A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-     empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with     inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
    (CVE-2022-27649)

  - An incorrect handling of the supplementary groups in the Podman container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2989)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0187-1 advisory.

  - Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including     from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by     default and do not require authentication. This issue affects Podman 1.8.0 onwards. (CVE-2021-20199)

  - An improper limitation of path name flaw was found in containernetworking/cni in versions before 0.8.1.
    When specifying the plugin to load in the 'type' field in the network configuration, it is possible to use     special elements such as ../ separators to reference binaries elsewhere on the system. This flaw allows     an attacker to execute other existing binaries other than the cni plugins/types, such as 'reboot'. The     highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
    (CVE-2021-20206)

  - A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual     machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is     accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an     attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making     private services on the VM accessible to the network. This issue could be also used to interrupt the     host's services by forwarding all ports to the VM. (CVE-2021-4024)

  - The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution     of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone     was used to determine the type of document during push and pull operations. Documents that contain both     manifests and layers fields could be interpreted as either a manifest or an index in the absence of an     accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a     client may interpret the resulting content differently. The OCI Distribution Specification has been     updated to require that a mediaType value present in a manifest or index match the Content-Type header     used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type     header and reject an ambiguous document that contains both manifests and layers fields or manifests     and config fields if they are unable to update to version 1.0.1 of the spec. (CVE-2021-41190)

  - A flaw was found in Podman, where containers were started incorrectly with non-empty default permissions.
    A vulnerability was found in Moby (Docker Engine), where containers were started incorrectly with non-     empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with     inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.
    (CVE-2022-27649)

  - An incorrect handling of the supplementary groups in the Podman container engine might lead to the     sensitive information disclosure or possible data modification if an attacker has direct access to the     affected container where supplementary groups are used to set access permissions and is able to execute a     binary code in that container. (CVE-2022-2989)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-7954 advisory.

    [2:4.2.0-3.0.1]
    - Drop nmap-ncat requirement and skip ignore-socket test case [Orabug: 34117404]

    [2:4.2.0-3]
    - fix dependency in test subpackage
    - Related: #2061316

    [2:4.2.0-2]
    - readd catatonit
    - Related: #2061316

    [2:4.2.0-1]
    - update to latest content of https://github.com/containers/podman/releases/tag/4.2.0       (https://github.com/containers/podman/commit/7fe5a419cfd2880df2028ad3d7fd9378a88a04f4)
    - Related: #2061316

    [2:4.2.0-0.3rc3]
    - require catatonit for gating tests
    - Related: #2061316

    [2:4.2.0-0.2rc3]
    - update to 4.2.0-rc3
    - Related: #2061316

    [2:4.2.0-0.1rc2]
    - update to 4.2.0-rc2
    - Related: #2061316

    [2:4.1.1-6]
    - convert catatonit dependency to soft dep as catatonit is       no longer in Appstream but in CRB
    - Related: #2061316

    [2:4.1.1-5]
    - rebuild for combined gating with catatonit
    - Related: #2097694

    [2:4.1.1-4]
    - catatonit is now a standalone package
    - Related: #2097694

    [2:4.1.1-3]
    - update to the latest content of https://github.com/containers/podman/tree/v4.1.1-rhel       (https://github.com/containers/podman/commit/fa692a6)
    - Related: #2097694

    [2:4.1.1-2]
    - be sure podman services/sockets are stopped upon package removal
    - Related: #2061316

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2022:7954 advisory.

  - In x/text in Go 1.15.4, an index out of range panic occurs in language.ParseAcceptLanguage while parsing     the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)     (CVE-2020-28851)

  - In x/text in Go before v0.3.5, a slice bounds out of range panic occurs in language.ParseAcceptLanguage     while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language     header.) (CVE-2020-28852)

  - A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual     machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is     accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an     attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making     private services on the VM accessible to the network. This issue could be also used to interrupt the     host's services by forwarding all ports to the VM. (CVE-2021-4024)

  - Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including     from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by     default and do not require authentication. This issue affects Podman 1.8.0 onwards. (CVE-2021-20199)

  - A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a     container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid     `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits     for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a     malicious image, which when downloaded and stored by an application using containers/storage, would then     cause a deadlock leading to a Denial of Service (DoS). (CVE-2021-20291)

  - In Go before 1.15.13 and 1.16.x before 1.16.5, some configurations of ReverseProxy (from     net/http/httputil) result in a situation where an attacker is able to drop arbitrary headers.
    (CVE-2021-33197)

  - The crypto/tls package of Go through 1.16.5 does not properly assert that the type of public key in an     X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS     server to cause a TLS client to panic. (CVE-2021-34558)

  - The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to     crash a server in certain circumstances involving AddHostKey. (CVE-2022-27191)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:7954 advisory.

    The podman tool manages pods, container images, and containers. It is part of the libpod library, which is     for applications that use container pods. Container pods is a concept in Kubernetes.

    Security Fix(es):

    * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension (CVE-2020-28851)

    * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852)

    * podman: podman machine spawns gvproxy with port bound to all IPs (CVE-2021-4024)

    * podman: Remote traffic to rootless containers is seen as orginating from localhost (CVE-2021-20199)

    * containers/storage: DoS via malicious image (CVE-2021-20291)

    * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty     (CVE-2021-33197)

    * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)

    * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.1 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:23018-1 advisory.

  - An information disclosure vulnerability was found in containers/podman in versions before 2.0.5. When     using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in     a short duration, the environment variables from the first container will get leaked into subsequent     containers. An attacker who has control over the subsequent containers could use this flaw to gain access     to sensitive information stored in such variables. (CVE-2020-14370)

  - In containerd (an industry-standard container runtime) before version 1.2.14 there is a credential leaking     vulnerability. If a container image manifest in the OCI Image format or Docker Image V2 Schema 2 format     includes a URL for the location of a specific image layer (otherwise known as a foreign layer), the     default containerd resolver will follow that URL to attempt to download it. In v1.2.x but not 1.3.0 or     later, the default containerd resolver will provide its authentication credentials if the server where the     URL is located presents an HTTP 401 status code along with registry-specific HTTP headers. If an attacker     publishes a public image with a manifest that directs one of the layers to be fetched from a web server     they control and they trick a user or system into pulling the image, they can obtain the credentials used     for pulling that image. In some cases, this may be the user's username and password for the registry. In     other cases, this may be the credentials attached to the cloud virtual instance which can grant access to     other cloud resources in the account. The default containerd resolver is used by the cri-containerd plugin     (which can be used by Kubernetes), the ctr development tool, and other client programs that have     explicitly linked against it. This vulnerability has been fixed in containerd 1.2.14. containerd 1.3 and     later are not affected. If you are using containerd 1.3 or later, you are not affected. If you are using     cri-containerd in the 1.2 series or prior, you should ensure you only pull images from trusted sources.
    Other container runtimes built on top of containerd but not using the default resolver (such as Docker)     are not affected. (CVE-2020-15157)

  - Rootless containers run with Podman, receive all traffic with a source IP address of 127.0.0.1 (including     from remote hosts). This impacts containerized applications that trust localhost (127.0.01) connections by     default and do not require authentication. This issue affects Podman 1.8.0 onwards. (CVE-2021-20199)

  - A deadlock vulnerability was found in 'github.com/containers/storage' in versions before 1.28.1. When a     container image is processed, each layer is unpacked using `tar`. If one of those layers is not a valid     `tar` archive this causes an error leading to an unexpected situation where the code indefinitely waits     for the tar unpacked stream, which never finishes. An attacker could use this vulnerability to craft a     malicious image, which when downloaded and stored by an application using containers/storage, would then     cause a deadlock leading to a Denial of Service (DoS). (CVE-2021-20291)

  - An information disclosure flaw was found in Buildah, when building containers using chroot isolation.
    Running processes in container builds (e.g. Dockerfile RUN commands) can access environment variables from     parent and grandparent processes. When run in a container in a CI/CD environment, environment variables     may include sensitive information that was shared with the container in order to be used only by Buildah     itself (e.g. container registry credentials). (CVE-2021-3602)

  - A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual     machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is     accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an     attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making     private services on the VM accessible to the network. This issue could be also used to interrupt the     host's services by forwarding all ports to the VM. (CVE-2021-4024)

  - The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution     of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone     was used to determine the type of document during push and pull operations. Documents that contain both     manifests and layers fields could be interpreted as either a manifest or an index in the absence of an     accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a     client may interpret the resulting content differently. The OCI Distribution Specification has been     updated to require that a mediaType value present in a manifest or index match the Content-Type header     used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type     header and reject an ambiguous document that contains both manifests and layers fields or manifests     and config fields if they are unable to update to version 1.0.1 of the spec. (CVE-2021-41190)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
201915	GLSA-202407-12 : podman: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
172436	SUSE SLED15 / SLES15 Security Update : conmon, libcontainers-common, libseccomp, podman (SUSE-SU-2022:23018-1)	Nessus	SuSE Local Security Checks	medium
171408	SUSE SLES15 Security Update : podman (SUSE-SU-2023:0326-1)	Nessus	SuSE Local Security Checks	high
170750	SUSE SLES15 / openSUSE 15 Security Update : podman (SUSE-SU-2023:0187-1)	Nessus	SuSE Local Security Checks	high
168070	Oracle Linux 9 : podman (ELSA-2022-7954)	Nessus	Oracle Linux Local Security Checks	medium
167982	AlmaLinux 9 : podman (ALSA-2022:7954)	Nessus	Alma Linux Local Security Checks	medium
167600	RHEL 9 : podman (RHSA-2022:7954)	Nessus	Red Hat Local Security Checks	medium
158634	openSUSE 15 Security Update : conmon, libcontainers-common, libseccomp, podman (openSUSE-SU-2022:23018-1)	Nessus	SuSE Local Security Checks	medium

Detections

Analytics

CVE-2021-4024

medium

Tenable Plugins

critical

medium

high

high

medium

medium

medium

medium