Recently, a vulnerability (CVE-2022-0185) was discovered in the Linux kernel (versions 5.1 and above). This vulnerability allows a user with local access inside a non-privileged user namespace to gain root access by exploiting an integer underflow to gain the CAPSYSADMIN capability in a new user namespace, which is normally reserved for processes running as the root user.
This vulnerability affects users of Coder.
In order to exploit this vulnerability, a user must be logged into a Coder workspace.
Coder relies upon third-party components such as Docker, Sysbox, and Podman. These in turn rely heavily upon non-privileged user namespaces for security and isolation. The Nestybox team, for example, has confirmed that this issue affects downstream users.
One accepted mitigation strategy is to disable unprivileged user namespaces:
sysctl -w kernel.unprivileged_userns_clone=0
However, this mitigation strategy may interfere with core system functionality Coder needs to work. We therefore cannot recommend this. We instead recommend that you update the Linux kernel on all systems that run Coder workspaces as soon as possible.
We also recommend that if you have updated to Coder version 1.27 already, you may wish to enable workspace process logging, which will enable you monitor any attempts to exploit this vulnerability.
The Ubuntu and Red Hat kernel maintainers have released security bulletins for this issue:
- Ubuntu: https://ubuntu.com/security/CVE-2022-0185
- Red Hat: https://access.redhat.com/security/cve/CVE-2022-0185
If you are using a different Linux distribution to run Coder, please check the security bulletins for your distribution. We recommend that you check these periodically for new information on potential vulnerabilities, and install security patches as soon as they are available.