Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseGHSA-7ww5-4wqc-m92c
GHSA-7ww5-4wqc-m92c:
vulnerability analysis and mitigation
Overview
A moderate severity vulnerability (GHSA-7ww5-4wqc-m92c) was discovered in containerd that allows containers to access Intel's RAPL (Running Average Power Limit) feature through /sys/devices/virtual/powercap. The vulnerability affects containerd versions ≤1.6.25 and 1.7.0-1.7.10, with patches available in versions 1.6.26 and 1.7.11. This issue stems from the default accessibility of power consumption monitoring capabilities to containers, which could potentially be exploited as a side-channel attack vector (GitHub Advisory).
Technical details
The vulnerability relates to Intel's RAPL feature, introduced in the Sandy Bridge microarchitecture, which provides software insights into hardware energy consumption through the powercap framework in Linux kernel 3.13. The framework reads values via MSRs (model specific registers) and provides userspace access through sysfs. While the Linux kernel prevents access by non-root users since version 5.10, this mitigation doesn't fully protect container environments, as root inside a container maintains the same privileges as root outside the container. The sysfs mount is read-only in containers, but this is sufficient for potential exploitation (GitHub Advisory, Platypus Attack).
Impact
This vulnerability could enable power-based side-channel attacks against security features including AES-NI (potentially affecting SGX enclaves) and KASLR (kernel address space layout randomization). The risk is particularly significant in multi-tenant container environments where containers share the same underlying hardware. This vulnerability is related to previously identified issues tracked as CVE-2020-8694, CVE-2020-8695, and CVE-2020-12912 (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been patched in containerd versions 1.6.26 and 1.7.11. The fix involves masking /sys/devices/virtual/powercap in the default mount configuration and adding rules to deny access in the default AppArmor profile. Intel has also implemented mitigations through microcode updates that reduce sampling resolution (GitHub Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management