CVE-2023-28642: 
Docker Compose vulnerability analysis and mitigation

runc, a CLI tool for spawning and running containers according to the OCI specification, was found to contain a security vulnerability (CVE-2023-28642) where AppArmor could be bypassed when /proc inside the container is symlinked with a specific mount configuration. This vulnerability was discovered and disclosed in March 2023, affecting all versions of runc prior to 1.1.5 (NVD, GitHub Advisory).

The vulnerability stems from a security check bypass related to symlinked /proc directories in containers. The issue occurs when /proc inside the container is symlinked with a specific mount configuration, which could lead to AppArmor security controls being circumvented. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) by NIST with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while GitHub assigned it a score of 6.1 (Medium) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability potentially affects both AppArmor and SELinux security controls, which are critical security mechanisms in container environments (NetApp Advisory).

The vulnerability has been fixed in runc version 1.1.5 by prohibiting symlinked /proc directories. Users are strongly advised to upgrade to this version or later. For those unable to upgrade immediately, the recommended workaround is to avoid using untrusted container images (GitHub Advisory).