CVE-2020-8694: 
Docker vulnerability analysis and mitigation

CVE-2020-8694 is a vulnerability discovered in the Linux kernel driver for Intel processors that involves insufficient access control. The vulnerability allows authenticated users to potentially enable information disclosure through local access. This issue was disclosed in November 2020 and affects various Intel processor models (NVD, Intel Advisory).

The vulnerability exists in the powercap subsystem which allowed all users to read CPU energy meters by default. On systems using Intel CPUs, this provided a side channel that could leak sensitive information between user processes, or from the kernel to user processes. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability enables information disclosure through a side channel that could leak sensitive information between user processes or from the kernel to user processes on systems using Intel CPUs. This affects the confidentiality of data but does not impact system integrity or availability (Debian LTS).

The primary mitigation is to restrict access to the energy meters to root only by default. For systems running unfixed kernel versions, a temporary workaround can be implemented by running the command: chmod go-r /sys/devices/virtual/powercap///energy_uj. This command needs to be repeated after each system boot. Various Linux distributions have released patches to address this vulnerability (Debian LTS).