CVE-2022-27652: 
Moby vulnerability analysis and mitigation

A vulnerability was discovered in Moby (Docker Engine) and CRI-O where containers were incorrectly started with non-empty inheritable Linux process capabilities (CVE-2022-27652). The issue was discovered in early 2022 and disclosed on April 14, 2022. This vulnerability affected all versions of CRI-O, Moby (Docker Engine) versions up to 20.10.14, and various versions of Red Hat OpenShift Container Platform (Red Hat Advisory, GitHub Advisory).

The vulnerability created an atypical Linux environment that enabled programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). The issue received a CVSS v3.1 base score of 5.3 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. While the vulnerability did not affect the container security sandbox, as the inheritable set never contained more capabilities than were included in the container's bounding set, it particularly impacted containers using Linux users and groups for privilege separation (Red Hat Bugzilla).

The vulnerability allowed otherwise unprivileged users and processes to gain inheritable file capabilities up to the container's bounding set when executing programs with specified permitted file capabilities. This could lead to privilege escalation within the container environment, potentially affecting confidentiality, integrity, and availability of container resources (GitHub Advisory).

The vulnerability was patched in Moby (Docker Engine) version 20.10.14 and CRI-O version 1.24.0. Users are advised to update to these versions and recreate running containers to reset inheritable capabilities. As a workaround, the container entrypoint can be modified to use utilities like capsh(1) to drop inheritable capabilities before the primary process starts (GitHub Advisory, Red Hat Advisory).