Detections
Analytics
RHEL 7 : podman (RHSA-2020:1227)
medium Nessus Plugin ID 135081
Language:
Synopsis
The remote Red Hat host is missing one or more security updates.Description
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1227 advisory.The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes.
Security Fix(es):
* podman: resolving symlink in host filesystem leads to unexpected results of copy operation (CVE-2019-18466)
* containers/image: Container images read entire image manifest into memory (CVE-2020-1702)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* [extras-rhel-7] conmon binary stripped but debuginfo not generated (BZ#1650395)
* Cannot run systemd-container with SCL service due to RHSA-2019:2091 fix (BZ#1758509)
* Podman does not enforce registries.block in the registries.conf file (BZ#1787666)
* podman and podman-manpages needs merging (BZ#1788549)
* podman should be linked against gpgme-pthread (BZ#1793083)
* podman cannot support load tarball which the name with colon but docker can support this (BZ#1797599)
* podman (1.6.4) rhel 8.1 no route to host from inside container [extras-rhel-7.8/podman] (BZ#1806895)
* Podman can't reuse a container name, even if the container that was using it is no longer around [extras-rhel-7.8/podman] (BZ#1807437)
* podman exec does not reads from stdin [extras-rhel-7.8/podman] (BZ#1807586)
* [FJ8.2 Bug]: [REG]The --group-add option of podman create doesn't function. [extras-rhel-7.8/podman] (BZ#1808702)
Enhancement(s):
* [RFE] sctp support for podman (BZ#1664218)
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected podman and / or podman-docker packages.See Also
http://www.nessus.org/u?b219921f
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/errata/RHSA-2020:1227
https://bugzilla.redhat.com/show_bug.cgi?id=1650395
https://bugzilla.redhat.com/show_bug.cgi?id=1744588
https://bugzilla.redhat.com/show_bug.cgi?id=1758509
https://bugzilla.redhat.com/show_bug.cgi?id=1788549
https://bugzilla.redhat.com/show_bug.cgi?id=1792796
https://bugzilla.redhat.com/show_bug.cgi?id=1797599
https://bugzilla.redhat.com/show_bug.cgi?id=1806895
https://bugzilla.redhat.com/show_bug.cgi?id=1807437
Plugin Details
Severity: Medium
ID: 135081
File Name: redhat-RHSA-2020-1227.nasl
Version: 1.11
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 4/1/2020
Updated: 11/5/2024
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
Vendor
Vendor Severity: Moderate
CVSS v2
Risk Factor: Medium
Base Score: 5.8
Temporal Score: 4.5
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P
CVSS Score Source: CVE-2019-18466
CVSS v3
Risk Factor: Medium
Base Score: 5.5
Temporal Score: 5
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:podman, p-cpe:/a:redhat:enterprise_linux:podman-docker, cpe:/o:redhat:enterprise_linux:7
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 4/1/2020
Vulnerability Publication Date: 10/28/2019
Reference Information
CVE: CVE-2019-18466, CVE-2020-1702