Product
January 21st, 2022

Statement on the recent CVE-2022-0185 vulnerability

author avatar
Cian Johnston
Software Engineer
author avatar
Jonathan Yu
Senior Software Engineer

SHARE

Recently, a vulnerability (CVE-2022-0185) was discovered in the Linux kernel (versions 5.1 and above). This vulnerability allows a user with local access inside a non-privileged user namespace to gain root access by exploiting an integer underflow to gain the CAPSYSADMIN capability in a new user namespace, which is normally reserved for processes running as the root user.

This vulnerability affects users of Coder.

In order to exploit this vulnerability, a user must be logged into a Coder workspace.

Coder relies upon third-party components such as Docker, Sysbox, and Podman. These in turn rely heavily upon non-privileged user namespaces for security and isolation. The Nestybox team, for example, has confirmed that this issue affects downstream users.

One accepted mitigation strategy is to disable unprivileged user namespaces:

sysctl -w kernel.unprivileged_userns_clone=0

However, this mitigation strategy may interfere with core system functionality Coder needs to work. We therefore cannot recommend this. We instead recommend that you update the Linux kernel on all systems that run Coder workspaces as soon as possible.

We also recommend that if you have updated to Coder version 1.27 already, you may wish to enable workspace process logging, which will enable you monitor any attempts to exploit this vulnerability.

The Ubuntu and Red Hat kernel maintainers have released security bulletins for this issue:

If you are using a different Linux distribution to run Coder, please check the security bulletins for your distribution. We recommend that you check these periodically for new information on potential vulnerabilities, and install security patches as soon as they are available.

If you liked this, share on Twitter, Hacker News, LinkedIn or Reddit

RELATED ARTICLES

Excited about Coder? Try it now
Get a demo
ALPHA

Install Coder on Docker

  • Be up and running in minutes
  • Free 30-day trial for 5 users
Learn more about running Coder on Docker or contact us
$ docker run --rm -it -p 7080:7080 \ -v /var/run/docker.sock:/var/run/docker.sock \ -v ~/.coder:/var/run/coder \ codercom/coder:1.30.0

Our commitment to open source

Learn more about our projects and our commitment to the open source community.

code-server: the heart of Coder

code-server is the primary open source project we maintain. It allows developers to use a browser to access remote dev environments running VS Code. Coder builds upon the success of code-server and adds features designed for enterprise teams including support for additional IDEs and advanced security features.