CVE-2021-20199
Public on
Last Modified:
Description
A flaw was found in podman. Rootless containers receive all traffic with a source IP address of 127.0.0.1 (including from remote hosts) which impact containerized applications that trust localhost (127.0.01) connections by default and do not require authentication. The highest threat from this vulnerability is to data integrity.
Statement
This issue does not affect Podman prior to version 1.8.0. Podman shipped in the following products are therefore not affected:
- Red Hat Enterprise Linux 7 Extras
- Red Hat Enterprise Linux 8 Container Tools stream 1.0
- Red Hat Enterprise Linux 8 Container Tools stream 2.0
- OpenShift Container Platform 3.11
- OpenShift Container Platform 4.1 to 4.5
Mitigation
Configure containerized applications to require authentication for connections from all sources, including localhost.
Additional information
- Bugzilla 1919050: podman: Remote traffic to rootless containers is seen as orginating from localhost
- CWE-346: Origin Validation Error
- FAQ: Frequently asked questions about CVE-2021-20199
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
| Red Hat | NVD | |
|---|---|---|
CVSS v3 Base Score | 5.9 | 5.9 |
Attack Vector | Network | Network |
Attack Complexity | High | High |
Privileges Required | None | None |
User Interaction | None | None |
Scope | Unchanged | Unchanged |
Confidentiality Impact | None | None |
Integrity Impact | High | High |
Availability Impact | None | None |
CVSS v3 Vector
Red Hat: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
NVD: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat CVSS v3 Score Explanation
Attack Complexity is rated High, as for this to present a security issue it requires podman to run a container in rootless mode, expose a port remotely and for the containerized application to give greater trust to localhost connections than to remote ones. Most applications simply either have authentication enabled or disabled and do not treat the origin of connections differently.
Understanding the Weakness (CWE)
Access Control,Other
Technical Impact: Gain Privileges or Assume Identity; Varies by Context
An attacker can access any functionality that is inadvertently accessible to the source.
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
My product is listed as "Out of Support Scope". What does this mean?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.
