Security Bulletin: Vunerability in docker engine affect pattern Type shipped with Cloud Pak System (CVE-2022-36109)

Summary

Bypass security group permission vulnerability in moby (docker engine) as shipped with patternType shipped with Cloud Pak System.

Vulnerability Details

CVEID:CVE-2022-36109
**DESCRIPTION:**Moby could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw with the supplementary groups are not set up properly. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass primary group restrictions to execute arbitrary code or obtain sensitive information from the container.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235637 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

Vulnerability found in docker engine used in docker pattern Type shipped with Cloud Pak System. Cloud Pak System addressed vulnerability with Docker pattern type 20.10.21 for RedHat Enterprise Linux v8 (RHEL8) with Cloud Pak System Software 2.3.3.6 for Intel.

For Cloud Pak System from v2.3.3.0, v.2.3.3.1, v.2.3.3.2, v.2.3.3.3, v2.3.3.3 Interim Fix 1, v2.3.3.4, v2.3.3.5

upgrade to IBM Cloud Pak System V2.3.3.6 at Fix Central

Information on upgrading at : <http://www.ibm.com/support/docview.wss?uid=ibm10887959&gt;

Workarounds and Mitigations

None