This issue was addressed with the release of v1.0.3. Hotdog now limits the number of processes per container, restricts the ability to modify host devices, and prevents syscalls that would otherwise be blocked. CVE-2021-3103. Prior to v1.0.1, Hotdog would not properly handle an invalid LD_LIBRARY_PATH environment variable. This could allow a container to load a library outside the expected path and with invalid permissions. This issue was addressed with the release of v1.0.2.
CVE-2021-3106. Prior to v1.0.2, Hotdog did not properly validate the underlying JVM process. This would allow a container to spawn an arbitrary JVM process with the specified name. This issue was addressed with the release of v1.0.3. Hotdog now validates the JVM process and rejects invalid names.
Updates for v2.0.0
Hotdog v2.0.0 includes new features and improvements that help with security and stability concerns. These changes include:
- Process Limits: Hotdog will now limit the number of processes per container to 8, restrict the ability to modify host devices, and prevent syscalls that would otherwise be blocked.
- LD_LIBRARY_PATH Validation: Hotdog will now properly handle an invalid LD_LIBRARY_PATH environment variable.
- JVM Validation: Hotdog will now validate the underlying JVM process and reject invalid names.
Updates to the Cloud Controller Runtime
The following vulnerabilities have been addressed with the release of v1.0.3:
- CVE-2010-5688: SOCKS Proxy Service Privilege Escalation
- CVE-2016-4452: Privilege Escalation via Ldap Distributed Mode
- CVE-2016-1755: Privilege Escalation via LDAP Distributed Mode
CVE-2010-5688: SOCKS Proxy Service Privilege Escalation
Prior to v1.0.3, Hotdog would not properly handle a malformed request to the SOCKS proxy service. This was addressed with the release of v1.0.3 which now validates these requests and rejects invalid requests.
Timeline
Published on: 04/19/2022 23:15:00 UTC
Last modified on: 04/29/2022 17:27:00 UTC