Upstream information

CVE-2016-9962 at MITRE

Description

RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

SUSE information

CVSS v2 Scores
  National Vulnerability Database SUSE
Base Score 4.38 4.05
Vector AV:L/AC:M/Au:N/C:P/I:P/A:P AV:L/AC:M/Au:S/C:P/I:P/A:P
Access Vector Local Local
Access Complexity Medium Medium
Authentication None Single
Confidentiality Impact Partial Partial
Integrity Impact Partial Partial
Availability Impact Partial Partial
CVSS v3 Scores
  National Vulnerability Database
Base Score 6.4
Vector AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Access Vector Local
Access Complexity High
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact High
SUSE Bugzilla entry: 1012568 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Module for Containers 12
  • containerd >= 0.2.5+gitr569_2a5e70c-15.3
  • docker >= 1.12.6-87.2
  • runc >= 0.1.1+gitr2819_50a19c6-15.2
Patchnames:
SUSE-SLE-Module-Containers-12-2017-201
SUSE OpenStack Cloud 6
  • containerd >= 0.2.5+gitr569_2a5e70c-15.3
  • docker >= 1.12.6-87.2
  • runc >= 0.1.1+gitr2819_50a19c6-15.2
Patchnames:
SUSE-OpenStack-Cloud-6-2017-201
openSUSE Leap 42.1
  • containerd >= 0.2.5+gitr569_2a5e70c-10.1
  • containerd-ctr >= 0.2.5+gitr569_2a5e70c-10.1
  • containerd-ctr-debuginfo >= 0.2.5+gitr569_2a5e70c-10.1
  • containerd-debuginfo >= 0.2.5+gitr569_2a5e70c-10.1
  • containerd-debugsource >= 0.2.5+gitr569_2a5e70c-10.1
  • containerd-test >= 0.2.5+gitr569_2a5e70c-10.1
  • docker >= 1.12.6-27.1
  • docker-bash-completion >= 1.12.6-27.1
  • docker-debuginfo >= 1.12.6-27.1
  • docker-debugsource >= 1.12.6-27.1
  • docker-test >= 1.12.6-27.1
  • docker-test-debuginfo >= 1.12.6-27.1
  • docker-zsh-completion >= 1.12.6-27.1
  • runc >= 0.1.1+gitr2819_50a19c6-10.1
  • runc-debuginfo >= 0.1.1+gitr2819_50a19c6-10.1
  • runc-debugsource >= 0.1.1+gitr2819_50a19c6-10.1
  • runc-test >= 0.1.1+gitr2819_50a19c6-10.1
Patchnames:
openSUSE-2017-181
openSUSE Leap 42.2
  • containerd >= 0.2.5+gitr569_2a5e70c-8.1
  • containerd-ctr >= 0.2.5+gitr569_2a5e70c-8.1
  • containerd-ctr-debuginfo >= 0.2.5+gitr569_2a5e70c-8.1
  • containerd-debuginfo >= 0.2.5+gitr569_2a5e70c-8.1
  • containerd-debugsource >= 0.2.5+gitr569_2a5e70c-8.1
  • containerd-test >= 0.2.5+gitr569_2a5e70c-8.1
  • docker >= 1.12.6-25.2
  • docker-bash-completion >= 1.12.6-25.2
  • docker-debuginfo >= 1.12.6-25.2
  • docker-debugsource >= 1.12.6-25.2
  • docker-test >= 1.12.6-25.2
  • docker-test-debuginfo >= 1.12.6-25.2
  • docker-zsh-completion >= 1.12.6-25.2
  • runc >= 0.1.1+gitr2819_50a19c6-8.1
  • runc-debuginfo >= 0.1.1+gitr2819_50a19c6-8.1
  • runc-debugsource >= 0.1.1+gitr2819_50a19c6-8.1
  • runc-test >= 0.1.1+gitr2819_50a19c6-8.1
Patchnames:
openSUSE-2017-181