CVE-2020-14300 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2020-14300 Interim 1 27 2023-02-13T01:06:26Z current 2021-05-30T14:40:59Z 2023-02-13T01:06:26Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2020-14300 The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2016-9962, that was previously corrected in the docker packages in Red Hat Enterprise Linux 7 Extras via RHSA-2017:0116 (https://access.redhat.com/errata/RHSA-2017:0116). The CVE-2020-14300 was assigned to this security regression and it is specific to the docker packages produced by Red Hat. The original issue - CVE-2016-9962 - could possibly allow a process inside container to compromise a process entering container namespace and execute arbitrary code outside of the container. This could lead to compromise of the container host or other containers running on the same container host. This issue only affects a single version of Docker, 1.13.1-108.git4ef4b30, shipped in Red Hat Enterprise Linux 7. Both earlier and later versions are not affected. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings Magnum Orchestration 7 SUSE CaaS Platform 3.0 SUSE Container as a Service Platform 2.0 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 15 SP2 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 15 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 15 SP2 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 15 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 15 SP2 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 15 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 15 SP2 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 15 SP2 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 15 SP2 SUSE Linux Enterprise Module for Containers 15 SP1 SUSE Linux Enterprise Module for Containers 15 SP2 SUSE OpenStack Cloud 6 SUSE OpenStack Cloud 6-LTSS docker docker-bash-completion docker-kubic docker as a component of Magnum Orchestration 7 docker-kubic as a component of SUSE CaaS Platform 3.0 docker as a component of SUSE CaaS Platform 3.0 docker as a component of SUSE Container as a Service Platform 2.0 docker as a component of SUSE Linux Enterprise Module for Containers 12 docker as a component of SUSE Linux Enterprise Module for Containers 15 docker-bash-completion as a component of SUSE Linux Enterprise Module for Containers 15 docker as a component of SUSE Linux Enterprise Module for Containers 15 SP1 docker-bash-completion as a component of SUSE Linux Enterprise Module for Containers 15 SP1 docker as a component of SUSE Linux Enterprise Module for Containers 15 SP2 docker-bash-completion as a component of SUSE Linux Enterprise Module for Containers 15 SP2 docker as a component of SUSE OpenStack Cloud 6 docker as a component of SUSE OpenStack Cloud 6-LTSS The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2016-9962, that was previously corrected in the docker packages in Red Hat Enterprise Linux 7 Extras via RHSA-2017:0116 (https://access.redhat.com/errata/RHSA-2017:0116). The CVE-2020-14300 was assigned to this security regression and it is specific to the docker packages produced by Red Hat. The original issue - CVE-2016-9962 - could possibly allow a process inside container to compromise a process entering container namespace and execute arbitrary code outside of the container. This could lead to compromise of the container host or other containers running on the same container host. This issue only affects a single version of Docker, 1.13.1-108.git4ef4b30, shipped in Red Hat Enterprise Linux 7. Both earlier and later versions are not affected. CVE-2020-14300 Magnum Orchestration 7:docker SUSE CaaS Platform 3.0:docker SUSE CaaS Platform 3.0:docker-kubic SUSE Container as a Service Platform 2.0:docker SUSE Linux Enterprise Module for Containers 12:docker SUSE Linux Enterprise Module for Containers 15 SP1:docker SUSE Linux Enterprise Module for Containers 15 SP1:docker-bash-completion SUSE Linux Enterprise Module for Containers 15 SP2:docker SUSE Linux Enterprise Module for Containers 15 SP2:docker-bash-completion SUSE Linux Enterprise Module for Containers 15:docker SUSE Linux Enterprise Module for Containers 15:docker-bash-completion SUSE OpenStack Cloud 6-LTSS:docker SUSE OpenStack Cloud 6:docker important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P 7.8 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H