Bugzilla – Bug 990805
VUL-1: CVE-2016-6349: systemd: systemd-machined: information exposure for docker containers
Last modified: 2016-07-27 10:52:20 UTC
http://seclists.org/oss-sec/2016/q3/160 Once docker containers register themselves to systemd-machined by oci-register-machine. Any unprivileged user could run machinectl to list every single containers running in the host even if the containers do not belong to this user (including containers belong to the root user), and access sensitive information associated with any individual container including its internal IP address, OS version, running processes, and file path for its rootfs. $ machinectl status cc8d10c7b9892b75843d200d54d34a3a cc8d10c7b9892b75843d200d54d34a3a(63633864313063376239383932623735) Since: Mon 2016-07-25 17:55:36 UTC; 34s ago Leader: 43494 (sleep) Service: docker; class container Root: /var/mnt/overlay/overlay/0429684e3da515ae4f11b8514c7b20f759613 Address: 172.17.0.2 fe80::42:acff:fe11:2 OS: Red Hat Enterprise Linux Server 7.2 (Maipo) Unit: docker-cc8d10c7b9892b75843d200d54d34a3a9435fe0f65527c254ebfd2d └─43494 sleep 3000 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6349 http://seclists.org/oss-sec/2016/q3/160
Between docker an systemd on SLE.. are we affected in our configuration? If so, where would the fix be?
This appears to happen because of a hook written as part of Project Atomic[1]. We don't package this hook, and as far as I'm aware (we're double checking this now) Docker and runC do not have the capability to register containers with machinectl without external hooks like the one linked. So this /appears/ to be a RedHat-specific issue. However, this definitely appears to me to be a systemd bug (and should be fixed on that side). [1]: https://github.com/projectatomic/oci-register-machine
Show how to attack an SUSE/OpenSUSE installation with the exact systemd version.
Beside this see what upstream says: https://github.com/systemd/systemd/issues/3815 any comments? IMHO this is *not* a systemd bug.
> Show how to attack an SUSE/OpenSUSE installation with the exact systemd > version. I'm confused who you are referring to? I'm saying that we _are not_ vulnerable. This "feature" of registering Docker containers to systemd is not an upstream feature of Docker. It is implements as part of a hook for Project Atomic that we do not (and have never) ship. In addition, it requires running a modified Docker daemon with this patch[1] applied in order to even have the hook functionality required. We don't apply this patch[2] and never have. From my perspective, this is a Red Hat bug and should not affect us. [1]: https://github.com/projectatomic/docker/commit/a307e90141ba31b378bc31bb7720ed141f47cd9b [2]: https://build.opensuse.org/package/show/Virtualization:containers/docker
OK ... this is not a bug of us.
Use correct resolution.