CVE-2022-27649
📋 TL;DR
This vulnerability in Podman and Moby (Docker Engine) allows containers to start with non-empty inheritable Linux process capabilities. An attacker with access to programs having inheritable file capabilities can elevate those capabilities to the permitted set during execve(2) execution. This affects users running vulnerable versions of Podman or Docker Engine.
💻 Affected Systems
- Podman
- Moby (Docker Engine)
📦 What is this software?
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Podman by Podman Project
⚠️ Risk & Real-World Impact
Worst Case
Container escape leading to full host system compromise, allowing attackers to execute arbitrary code with elevated privileges on the host.
Likely Case
Privilege escalation within containers, enabling attackers to perform unauthorized actions, access sensitive data, or pivot to other systems.
If Mitigated
Limited impact with proper container isolation, capability restrictions, and security controls in place.
🎯 Exploit Status
Requires attacker to have initial access to container and knowledge of programs with inheritable capabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Podman 4.0.2+, Docker Engine 20.10.14+
Vendor Advisory: https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j
Restart Required: Yes
Instructions:
1. Update Podman: 'sudo dnf update podman' (RHEL/Fedora) or 'sudo apt update && sudo apt upgrade podman' (Debian/Ubuntu). 2. Update Docker Engine: Follow official Docker update instructions for your distribution. 3. Restart affected containers and services.
🔧 Temporary Workarounds
Drop inheritable capabilities
linuxManually drop inheritable capabilities from containers to prevent exploitation.
docker run --cap-drop=ALL --cap-add=...
podman run --cap-drop=ALL --cap-add=...
Use user namespaces
linuxEnable user namespace remapping to add isolation layer.
echo '{"userns-remap": "default"}' > /etc/docker/daemon.json
systemctl restart docker
🧯 If You Can't Patch
- Implement strict capability restrictions using --cap-drop and --cap-add flags for all containers.
- Deploy runtime security tools like Falco or AppArmor/SELinux policies to monitor and restrict capability usage.
🔍 How to Verify
Check if Vulnerable:
Check Podman version: 'podman --version'. Check Docker version: 'docker --version'. If versions are below Podman 4.0.2 or Docker 20.10.14, system is vulnerable.Check Version:
podman --version; docker --versionVerify Fix Applied:
After update, verify versions meet patched requirements and test container execution with inheritable capabilities disabled.📡 Detection & Monitoring
Log Indicators:
- Unusual capability elevation events in container logs
- Audit logs showing unexpected execve calls with capability changes
Network Indicators:
- Suspicious outbound connections from containers to unexpected destinations
SIEM Query:
container.runtime:podman AND event.action:execve AND process.capabilities.inheritable:*🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=2066568
- https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0
- https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/
- https://bugzilla.redhat.com/show_bug.cgi?id=2066568
- https://github.com/containers/podman/commit/aafa80918a245edcbdaceb1191d749570f1872d0
- https://github.com/containers/podman/security/advisories/GHSA-qvf8-p83w-v58j
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4KDETHL5XCT6RZN2BBNOCEXRZ2W3SFU3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLUJZV3HBP56ADXU6QH2V7RNYUPMVBXQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5WPM42UR6XIBQNQPNQHM32X7S4LJTRX/
