Date: Wed, 27 Jul 2016 13:27:08 -0400 From: Daniel J Walsh <dwalsh@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Re: cve request: systemd-machined: information exposure for docker containers On 07/27/2016 01:05 PM, Christian Rebischke wrote: > On Tue, Jul 26, 2016 at 03:24:13PM -0400, cve-assign@...re.org wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >>> Once docker containers register themselves to systemd-machined >>> by oci-register-machine. Any unprivileged user could run >>> machinectl to list every single containers running in the host >>> even if the containers do not belong to this user (including containers >>> belong to the root user), and access sensitive information associated >>> with any individual container including its internal IP address, OS >>> version, running processes, and file path for its rootfs. >>> >>> $ machinectl status cc8d10c7b9892b75843d200d54d34a3a >>> cc8d10c7b9892b75843d200d54d34a3a(63633864313063376239383932623735) >>> Since: Mon 2016-07-25 17:55:36 UTC; 34s ago >>> Leader: 43494 (sleep) >>> Service: docker; class container >>> Root: /var/mnt/overlay/overlay/0429684e3da515ae4f11b8514c7b20f759613 >>> Address: 172.17.0.2 >>> fe80::42:acff:fe11:2 >>> OS: Red Hat Enterprise Linux Server 7.2 (Maipo) >>> Unit: docker-cc8d10c7b9892b75843d200d54d34a3a9435fe0f65527c254ebfd2d >>> 43494 sleep 3000 >> Use CVE-2016-6349. > Hello, > I don't think that the bug for this problem lies in systemd. > It's more a design mistake in docker or oci-register-machine. > I have forwarded this issue to the systemd developer team and I don't > think they will fix this in the future. In their opinion it's a > bug in docker or oci-register-machine: > > https://github.com/systemd/systemd/issues/3815 > > by the way.. I would feel glad if the security researchers would first > message the developers and then assign a CVE a bug. This is the normal > way for a full disclosure. > > best regards, > > Christian Rebischke Why is this a bug in oci-register-machine? All it is doing is calling the systemd-machine call to register with it using the three flags available. Is systemd saying we should not use that call?
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ