CVE-2022-2995: 
Podman vulnerability analysis and mitigation

CVE-2022-2995 is a security vulnerability discovered in the CRI-O container engine that involves incorrect handling of supplementary groups. The vulnerability was disclosed in September 2022 and affects container runtimes including CRI-O, Docker, podman, and other implementations following the Open Container Initiative (OCI) specification (Bentham Gaze).

The vulnerability stems from container runtimes not properly duplicating a user's primary group in the list of supplementary groups when initializing containers, unlike the traditional Linux behavior. This implementation difference allows programs running in containers to potentially drop their primary group, which could lead to bypassing access controls that rely on negative group permissions (Bentham Gaze).

The vulnerability could lead to sensitive information disclosure or possible data modification in environments that use negative group permissions for access control. However, since negative group permissions are not widely used, the overall impact has been assessed as low (Red Hat Advisory).

Several mitigation strategies are available: 1) Initialize containers with 'su -l' command instead of using container runtime user configuration, 2) Manually duplicate groups in /etc/group, 3) Block setuid/setgid programs using Docker's '--security-opt no-new-privileges' flag or Kubernetes' 'allowPrivilegeEscalation=false' setting. Patches have been developed and distributed through various container runtime updates (Bentham Gaze).

The vulnerability was initially reported to Docker on May 27, 2022, and was subsequently passed to the Moby project as it affected multiple container runtime implementations. Due to its low severity assessment, the vulnerability was publicly discussed while mitigation work was underway (Bentham Gaze).