general

Security Notices

2020-09-15 CVE-2020-14386 Linux kernel CAP_NET_RAW vulnerability

A memory corruption bug in the Linux kernel can be exploited to gain root privileges from unprivileged processes, provided the unprivileged processes possess the CAP_NET_RAW capability. You can find more information in the security email list.

How to patch it

Major Linux distributions offer patched versions of the Linux kernel. You need to install a new version of the kernel and reboot.

If that option is not possible, configure all the deployments in your Kubernetes environment to drop the CAP_NET_RAW capability. Follow these instructions:

 securityContext:
   capabilities:
     drop:
       - CAP_NET_RAW

Affected platforms

This issue requires local access to be exploitable. This is particularly important for environments that run containers on it. Container capabilities let you fine-tune the permissions granted so you don’t inadvertently give total control to an image.

The CAP_NET_RAW is a capability that a possible attacker could use to escape the container and to gain root access to the host (or the node in case of a Kubernetes environment).

None of the Bitnami container images or Helm charts use the CAP_NET_RAW capability by default.

We strongly recommend upgrading your Kubernetes infrastructure to use a patched kernel. This will avoid any possible privilege escalation issues and secure your infrastructure against this vulnerability.

Do you have more questions? Please post to our community forums so we can help you there.

Last modification September 16, 2020