CVE-2024-9676: Podman: buildah: cri-o: symlink traversal vulnerability in the containers/storage library can cause denial of service (dos)
First published: Wed Oct 09 2024(Updated: )
A symlink traversal vulnerability in the containers/storage library can cause Podman, Buildah, and CRI-O to hang and potentially be DoSed via OOM kill when running a malicious image using an automatically assigned user namespace (`--userns=auto` in Podman and Buildah). The containers/storage library will read /etc/passwd inside the container, but does not properly validate if that file is a symlink, which can be used to cause the library to read an arbitrary file on the host. This file is only read, and if it does not properly parse as a copy of `/etc/passwd` it will cause an error (there is a small risk of information disclosure via the error message here as elements of the file that failed to parse can be included, but this is only as the user running Podman/Buildah/CRI-O so it wouldn't be a file they did not already have access to). The report here discovered that you can symlink /etc/passwd in the container to a FIFO on the host, causing a hang as the file cannot be completely read (or an OOM condition if the FIFO is continuously written to, which was then ready by Podman). This hang could occur in a critical section in the c/storage library, blocking other processes from creating containers, but could be easily solved via a SIGKILL of the affected process. The ability to potentially crash the CRI-O service via OOM kill could be more relevant, though the attacker would have to know the path of a FIFO that is regularly being written to on the host in order to do this.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat openshift container platform | =4.12 | |
| redhat openshift container platform | =4.13 | |
| redhat openshift container platform | =4.14 | |
| redhat openshift container platform | =4.15 | |
| redhat openshift container platform | =4.16 | |
| redhat openshift container platform | =4.17 | |
| redhat openshift container platform for arm64 | =4.12 | |
| redhat openshift container platform for arm64 | =4.13 | |
| redhat openshift container platform for arm64 | =4.14 | |
| redhat openshift container platform for arm64 | =4.15 | |
| redhat openshift container platform for arm64 | =4.16 | |
| redhat openshift container platform for ibm z | =4.12 | |
| redhat openshift container platform for ibm z | =4.13 | |
| redhat openshift container platform for ibm z | =4.14 | |
| redhat openshift container platform for ibm z | =4.15 | |
| redhat openshift container platform for ibm z | =4.16 | |
| redhat openshift container platform for linuxone | =4.12 | |
| redhat openshift container platform for linuxone | =4.13 | |
| redhat openshift container platform for linuxone | =4.14 | |
| redhat openshift container platform for linuxone | =4.15 | |
| redhat openshift container platform for linuxone | =4.16 | |
| Red Hat OpenShift Container Platform for Power | =4.12 | |
| Red Hat OpenShift Container Platform for Power | =4.13 | |
| Red Hat OpenShift Container Platform for Power | =4.14 | |
| Red Hat OpenShift Container Platform for Power | =4.15 | |
| Red Hat OpenShift Container Platform for Power | =4.16 | |
| Red Hat Enterprise Linux | =9.0 | |
| redhat enterprise Linux eus | =9.4 | |
| redhat enterprise Linux for arm 64 | =9.0_aarch64 | |
| Red Hat Enterprise Linux for ARM64 EUS | =9.4_aarch64 | |
| redhat enterprise Linux for ibm z systems | =9.0_s390x | |
| redhat enterprise Linux for ibm z systems eus | =9.4_s390x | |
| redhat enterprise Linux for power little endian | =9.0_ppc64le | |
| redhat enterprise Linux for power little endian eus | =9.4_ppc64le | |
| redhat enterprise Linux server aus | =9.4 | |
| redhat enterprise Linux server for power little endian update services for sap solutions | =9.4_ppc64le |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:10289
- https://access.redhat.com/errata/RHSA-2024:8418
- https://access.redhat.com/errata/RHSA-2024:8428
- https://access.redhat.com/errata/RHSA-2024:8437
- https://access.redhat.com/errata/RHSA-2024:8686
- https://access.redhat.com/errata/RHSA-2024:8690
- https://access.redhat.com/errata/RHSA-2024:8694
- https://access.redhat.com/errata/RHSA-2024:8700
- https://access.redhat.com/errata/RHSA-2024:8984
- https://access.redhat.com/errata/RHSA-2024:9051
- https://access.redhat.com/errata/RHSA-2024:9454
- https://access.redhat.com/errata/RHSA-2024:9459
- https://access.redhat.com/errata/RHSA-2024:9926
- https://access.redhat.com/security/cve/CVE-2024-9676
- https://bugzilla.redhat.com/show_bug.cgi?id=2317467
- https://github.com/advisories/GHSA-wq2p-5pc6-wpgf
- https://access.redhat.com/errata/RHSA-2025:0876
Frequently Asked Questions
What is the severity of CVE-2024-9676?
CVE-2024-9676 is considered a high severity vulnerability due to its potential to hang applications and cause denial of service.
How do I fix CVE-2024-9676?
To fix CVE-2024-9676, update your OpenShift Container Platform installation to the latest version that addresses this vulnerability.
What software is affected by CVE-2024-9676?
CVE-2024-9676 affects multiple versions of Red Hat OpenShift Container Platform from 4.12 to 4.17 as well as related platforms for ARM and IBM architectures.
What types of attacks can exploit CVE-2024-9676?
CVE-2024-9676 can be exploited through malicious container images that cause resource exhaustion and application hangs.
Is there a specific configuration that increases the risk of CVE-2024-9676?
Yes, the use of the automatically assigned user namespace option ('--userns=auto') in Podman and Buildah increases the risk of CVE-2024-9676.
- agent/weakness
- agent/type
- agent/title
- agent/author
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/source
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-9676
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/tags
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/4.12
- version/redhat openshift container platform/4.13
- version/redhat openshift container platform/4.14
- version/redhat openshift container platform/4.15
- version/redhat openshift container platform/4.16
- version/redhat openshift container platform/4.17
- canonical/redhat openshift container platform for arm64
- version/redhat openshift container platform for arm64/4.12
- version/redhat openshift container platform for arm64/4.13
- version/redhat openshift container platform for arm64/4.14
- version/redhat openshift container platform for arm64/4.15
- version/redhat openshift container platform for arm64/4.16
- canonical/redhat openshift container platform for ibm z
- version/redhat openshift container platform for ibm z/4.12
- version/redhat openshift container platform for ibm z/4.13
- version/redhat openshift container platform for ibm z/4.14
- version/redhat openshift container platform for ibm z/4.15
- version/redhat openshift container platform for ibm z/4.16
- canonical/redhat openshift container platform for linuxone
- version/redhat openshift container platform for linuxone/4.12
- version/redhat openshift container platform for linuxone/4.13
- version/redhat openshift container platform for linuxone/4.14
- version/redhat openshift container platform for linuxone/4.15
- version/redhat openshift container platform for linuxone/4.16
- canonical/red hat openshift container platform for power
- version/red hat openshift container platform for power/4.12
- version/red hat openshift container platform for power/4.13
- version/red hat openshift container platform for power/4.14
- version/red hat openshift container platform for power/4.15
- version/red hat openshift container platform for power/4.16
- canonical/red hat enterprise linux
- version/red hat enterprise linux/9.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/9.4
- canonical/redhat enterprise linux for arm 64
- version/redhat enterprise linux for arm 64/9.0_aarch64
- canonical/red hat enterprise linux for arm64 eus
- version/red hat enterprise linux for arm64 eus/9.4_aarch64
- canonical/redhat enterprise linux for ibm z systems
- version/redhat enterprise linux for ibm z systems/9.0_s390x
- canonical/redhat enterprise linux for ibm z systems eus
- version/redhat enterprise linux for ibm z systems eus/9.4_s390x
- canonical/redhat enterprise linux for power little endian
- version/redhat enterprise linux for power little endian/9.0_ppc64le
- canonical/redhat enterprise linux for power little endian eus
- version/redhat enterprise linux for power little endian eus/9.4_ppc64le
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/9.4
- canonical/redhat enterprise linux server for power little endian update services for sap solutions
- version/redhat enterprise linux server for power little endian update services for sap solutions/9.4_ppc64le