Executive Summary

This vulnerability is a container privilege escalation flaw found in certain AMQ Broker container images. It occurs because the /etc/passwd file is created with group-writable permissions during build time. An attacker who can execute commands inside the affected container, even as a non-root user, and who is a member of the root group, can modify the /etc/passwd file. This allows the attacker to add a new user with any user ID, including UID 0 (root), thereby gaining full root privileges within the container. [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with limited access inside a container to escalate their privileges to full root access within that container. This means the attacker could perform any action as the root user inside the container, potentially compromising the container's security, accessing sensitive data, or disrupting services running inside the container. [1, 2]

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by checking the permissions of the /etc/passwd file inside the affected AMQ Broker containers. Specifically, look for group-writable permissions on /etc/passwd. For example, run the command: ls -l /etc/passwd inside the container and verify if the group permissions include write access (e.g., -rw-rw-r--). Additionally, verify if the container image version is prior to the fixed version 7.13.2.OPR.1.GA. No network detection commands are provided in the resources. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the affected AMQ Broker container images to the latest fixed version 7.13.2.OPR.1.GA available in the Red Hat Container catalog. This update addresses the excessive group-writable permissions on /etc/passwd and other related security issues. Avoid running containers with excessive permissions and restrict command execution capabilities within containers where possible. [1, 2]

Useful 0 Not Useful 0