Bug 1224323

Summary: VUL-0: containerd: mitigate power-based side channel attacks (advisory GHSA-jq35-85cj-fj4p)
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Containers Team <containers-bugowner>
Status: IN_PROGRESS --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: andreas.taschner, asarai, brad.bendily, containers-bugowner, dcermak, federico.pinca, gianluca.gabrielli, jjindrak, meissner, nicola.dimarzo, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: x86-64   
OS: SLES 15   
URL: https://smash.suse.de/issue/405857/
Whiteboard:
Found By: SUSE Technical Services Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1217404, 1217513    
Bug Blocks:    

Description Marcus Meissner 2024-05-15 16:33:41 UTC 
also problem in containerd.


for https://github.com/advisories/GHSA-7ww5-4wqc-m92c

+++ This bug was initially created as a clone of Bug #1217513 +++

+++ This bug was initially created as a clone of Bug #1217404 +++

Advisory: https://github.com/advisories/GHSA-jq35-85cj-fj4p
Commit: https://github.com/moby/moby/commit/c9ccbfad11a60e703e91b6cca4f48927828c7e35


Basically filters out the  /sys/devices/virtual/powercap/* files to avoid container code to be able to execute powerbased side channel attacks.
Comment 1 Gianluca Gabrielli 2024-05-16 08:58:54 UTC 
Affected packages:
 - SUSE:ALP:Source:Standard:1.0/containerd
 - SUSE:SLE-12:Update/containerd
 - SUSE:SLE-15:Update/containerd
 - SUSE:SLFO:Main/containerd
Comment 4 Maintenance Automation 2024-06-20 20:30:07 UTC 
SUSE-SU-2024:2108-1: An update that solves one vulnerability and has one security fix can now be installed.

Category: security (important)
Bug References: 1221400, 1224323
CVE References: CVE-2023-45288
Maintenance Incident: [SUSE:Maintenance:34007](https://smelt.suse.de/incident/34007/)
Sources used:
openSUSE Leap Micro 5.3 (src):
 containerd-1.7.17-150000.111.3
openSUSE Leap Micro 5.4 (src):
 containerd-1.7.17-150000.111.3
openSUSE Leap 15.5 (src):
 containerd-1.7.17-150000.111.3
openSUSE Leap 15.6 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro 5.3 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro 5.4 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro 5.5 (src):
 containerd-1.7.17-150000.111.3
Containers Module 15-SP5 (src):
 containerd-1.7.17-150000.111.3
Containers Module 15-SP6 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 containerd-1.7.17-150000.111.3
SUSE Enterprise Storage 7.1 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro 5.1 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro 5.2 (src):
 containerd-1.7.17-150000.111.3
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 containerd-1.7.17-150000.111.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.