Reading time ~2 minutes
CVE-2022-0847 (aka Dirty Pipe):
What does it mean for defenders
CVE-2022-0847 (aka “Dirty Pipe”) was released earlier this week (
This blog aims to provide a quick summary and actionable advice for defenders of cloud environments and those teams who are asked to determine its impact on their company’s infrastructure.
From the original disclosure page (“The Dirty Pipe Vulnerability”):
CVE-2022-0847 is a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.
(The page continues providing the technical details of the kernel vulnerability for those interested.)
At the same time, the Aqua Security team provided a higher-level description of the vulnerability, as well as proof of exploitation, in their post titled “ Dirty Pipe Linux Vulnerability: Overwriting Files in Container Images”:
“Dirty Pipe”, is a vulnerability that allows users on a Linux system to overwrite the contents of files that they can read but shouldn’t be able to write to. Looking at this vulnerability from the perspective of hosts using containerization software such as Docker, it was possible to modify files from container images on the host, from inside a container — something that generally shouldn’t be possible.
Means of exploitation
In short, this vulnerability lets a running container change files in its underlying image, as well as any files that are mounted read-only from the underlying host. For example, if the container runtime runs multiple containers generated from the same image, then Dirty Pipe can be used to attack this image, and thus the other containers spawned from it.
To exploit this issue, two conditions must be met:
- The kernel version of the host is vulnerable (5.8+).
- Attackers can interact with a container on the host.
As from the Aqua Security blog:
The issue is likely to have the most impact where there are many containers running with a shared image file and untrusted users can access individual containers but shouldn’t be able to modify files on the underlying host.
Update 2022-03-09, 11:00AM GMT
It looks like the DirtyPipe vulnerability can also be used for breaking out from unprivileged containers:
Looks like the DirtyPipe vulnerability can also be used for breaking out from unprivileged containers— Christophe (@christophetd) March 8, 2022
(didn't see a public PoC for container breakout yet) https://t.co/YpbWucX8ts
Subscribe to CloudSecList
How does this affect Cloud Providers?
@christophetd started a handy Twitter thread that tries to collate impact on major cloud providers. Here is an up-to-date summary:
Vanilla versions of Ubuntu do not have a patch available yet (ref).
In this post I provided
a quick summary and actionable advice for defenders of cloud environments and those teams who are asked to determine the impact of
CVE-2022-0847 on their company’s infrastructure.
I’ll keep updating it as new information (and mitigations) are released.
I hope you found this post useful and interesting, and I’m keen to get feedback on it! If you find the information shared was useful, if something is missing, or if you have ideas on how to improve it, please let me know on Twitter.