Executive Summary An Elevation of Privilege (EOP) vulnerability has been identified within Service Fabric clusters that run Docker containers. Exploitation of this EOP vulnerability requires an attacker to gain remote code execution within a container. All Service Fabric and Docker versions are impacted.
According to the CVSS metric, privileges required is high (PR:H). What would lead to a successful attack? In order for the successful attack to be initiated, the attacker would need to have read/write access to the cluster and the ability to execute the hostile code inside a container that has been granted access to the Service Fabric runtime. What is being fixed in CVE-2022-30137? Azure Service Fabric team is releasing a patch to further strengthen the security in the Linux cluster by adapting the principle of path to least privilege. Windows cluster are NOT impacted by this vulnerability. How to protect yourself? Customers without automatic updates enabled should upgrade their Linux clusters to the most recent Service Fabric release. Customers whose Linux clusters are automatically updated do not need to take further action. We have also updated our public security guidance to include details regarding the implications of hosting untrusted code or having one’s containers compromised. Please see the information here: Hosting untrusted applications in a Service Fabric cluster
Aviv Sasson with Palo Alto Networks