CVE-2022-1227
📋 TL;DR
CVE-2022-1227 is a privilege escalation vulnerability in Podman that allows attackers to gain host filesystem access when users run 'podman top' on malicious container images. This affects Podman users who pull images from public registries. The vulnerability can lead to information disclosure or denial of service on the host system.
💻 Affected Systems
- Podman
📦 What is this software?
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Fedora by Fedoraproject
Fedora by Fedoraproject
Podman by Podman Project
Psgo by Psgo Project
Quay by Redhat
⚠️ Risk & Real-World Impact
Worst Case
Complete host compromise allowing attacker to read sensitive files, modify system configurations, or cause system crashes leading to denial of service.
Likely Case
Information disclosure where attackers can read sensitive host files and potentially escalate privileges further.
If Mitigated
Limited impact if users only run trusted images from verified sources and have proper container isolation.
🎯 Exploit Status
Exploitation requires convincing users to download and run malicious images, then execute 'podman top' command.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Podman 4.1.0 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2070368
Restart Required: No
Instructions:
1. Update Podman to version 4.1.0 or later using your package manager. 2. For RHEL/CentOS: 'sudo yum update podman'. 3. For Fedora: 'sudo dnf update podman'. 4. For Ubuntu/Debian: Use official repositories or build from source.
🔧 Temporary Workarounds
Avoid podman top command
linuxDo not run 'podman top' command on untrusted container images
Use trusted registries only
linuxConfigure Podman to only pull images from trusted, verified registries
podman system connection add --default <trusted-registry>
🧯 If You Can't Patch
- Implement strict image provenance policies and only use signed images from trusted sources
- Disable or restrict 'podman top' command usage through SELinux policies or user permissions
🔍 How to Verify
Check if Vulnerable:
Check Podman version with 'podman --version' and verify if it's below 4.1.0Check Version:
podman --versionVerify Fix Applied:
Run 'podman --version' and confirm version is 4.1.0 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual 'podman top' command executions
- Container image pulls from unknown registries
- Unexpected file access patterns from containers
Network Indicators:
- Downloads from untrusted container registries
- Unusual outbound connections from container hosts
SIEM Query:
source="podman" AND (command="top" OR command="pull") AND registry NOT IN ["trusted-registry1", "trusted-registry2"]🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=2070368
- https://github.com/containers/podman/issues/10941
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/
- https://security.netapp.com/advisory/ntap-20240628-0001/
- https://bugzilla.redhat.com/show_bug.cgi?id=2070368
- https://github.com/containers/podman/issues/10941
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/
- https://security.netapp.com/advisory/ntap-20240628-0001/
