SLES 15 — umoci — multiple vulnerabilities (2 CVEs) — patch and remediation guide

📖 ~4 min read  •  Source: SUSE advisory SUSE-SU-2021:1116-1 (see also SUSE bugzilla)

Related CVEs: CVE-2021-29136 CVE-2021-41190

Upstream summary: Open Container Initiative umoci before 0.4.7 allows attackers to overwrite arbitrary host paths via a crafted image that causes symlink traversal when "umoci unpack" or "umoci raw unpack" is used.

Table of contents

1. Symptom & Impact
2. Environment & Reproduction
3. Root Cause Analysis
4. Quick Triage
5. Step-by-Step Diagnosis
6. Solution – Primary Fix
7. Solution – Alternative Approaches
8. Verification & Acceptance Criteria
9. Rollback Plan
10. Prevention & Hardening
11. Related Errors & Cross-Refs
12. References & Further Reading

Symptom & Impact

On SLES 15 hosts that have umoci installed, administrators report behaviour consistent with SUSE advisory SUSE-SU-2021:1116-1: zypper patch-check lists open patches, services backed by umoci fail or restart unexpectedly, AppArmor profile warnings appear in journalctl -k — and for security-rated advisories the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever umoci sits on the serving path.

Environment & Reproduction

Reproduction targets SLES 15. Confirm release, registration, and installed package:

cat /etc/os-release
SUSEConnect --status-text
SUSEConnect --list-extensions 2>/dev/null | head -30
rpm -q umoci
zypper info umoci | head -20

Trigger the workflow that exposes umoci — multiple vulnerabilities (2 CVEs) — patch and remediation guide while collecting:

sudo journalctl -u umoci -b --no-pager | tail -200
sudo journalctl -xe --no-pager | tail -200
sudo tail -200 /var/log/zypp/history
sudo tail -200 /var/log/audit/audit.log
# For SUSE support, bundle evidence with supportconfig:
sudo supportconfig -R /var/tmp -B umoci

Root Cause Analysis

Root cause is documented in SUSE advisory SUSE-SU-2021:1116-1. SUSE security maintainers shipped fixes in the corresponding umoci update for SLES 15; running an outdated build leaves the host exposed to the failure modes described in the advisory. Correlate zypper history with system logs:

sudo zypper history | grep umoci
sudo zypper history --since='-7 days' | tail -40
sudo journalctl -k | grep -i apparmor | tail -100
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules

Quick Triage

Run these on SLES 15 to capture the current state of umoci:

rpm -q umoci                              # installed NVR
rpm -V umoci                              # verify shipped files
sudo zypper patch-check                    # open patches
sudo zypper lp -r SUSE-SLE-Server-15-* 2>/dev/null | head
systemctl --failed --no-pager
sudo firewall-cmd --list-all
sudo aa-status                              # AppArmor profiles
# If umoci ships a systemd unit (unit name may differ from pkg name, e.g.
# bind→named, postgresql-server→postgresql, php-fpm→php-fpm):
systemctl list-unit-files | grep -i umoci | head

Step-by-Step Diagnosis

1. List failed systemd units.

   systemctl --failed --no-pager

2. Tail the journal for umoci and the system bus.

   sudo journalctl -u umoci -f --no-pager
   sudo journalctl -xe -f --no-pager

3. Inspect firewall posture (firewalld is the default on SLES 15+).

   sudo firewall-cmd --list-all-zones --permanent
   sudo nft list ruleset 2>/dev/null | head -50

4. Surface AppArmor denials and switch the profile to complain mode if needed.

   sudo journalctl -k | grep -i 'apparmor="DENIED"' | tail -30
   sudo aa-status
   sudo aa-complain /etc/apparmor.d/usr.sbin.umoci 2>/dev/null || true

5. Verify umoci integrity and reinstall if anything is altered.

   sudo rpm -V umoci
   sudo zypper verify
   sudo zypper install --force umoci

6. Correlate findings with /var/log/zypp/history, zypper history, and SUSE advisory SUSE-SU-2021:1116-1 to pin the change that introduced umoci — multiple vulnerabilities (2 CVEs) — patch and remediation guide.

Solution – Primary Fix

Apply the corrective zypper transaction referenced by SUSE advisory SUSE-SU-2021:1116-1, then reload affected systemd units:

sudo zypper ref                        # refresh repos
sudo zypper -n patch                   # apply ALL open patches (recommended)
# Or target a single package:
sudo zypper -n update umoci
sudo systemctl daemon-reload
# Unit name may differ from pkg name; check first:
systemctl list-unit-files | grep -i umoci | head
sudo systemctl restart umoci
rpm -q umoci                           # confirm new NVR
systemctl is-active umoci 2>/dev/null  # confirm running (if a unit exists)

For kernel / glibc / systemd / openssl advisories a reboot is required (or SLE Live Patching where licensed):

sudo zypper ps -s                      # services using deleted libs
sudo systemctl reboot                  # or: sudo shutdown -r now
# SUSE Live Patching (kgraft / klp) avoids reboot for kernel CVEs:
sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
klp -v patches                         # active livepatches

Solution – Alternative Approaches

If the primary patch is not viable, choose from these:

• Roll back via Snapper (Btrfs snapshots taken automatically before zypper transactions on SLES 15):

  sudo snapper list
  sudo snapper undochange <pre>..<post>  # diff between two snapshot numbers
  sudo snapper rollback <pre>            # boot the host into the chosen snapshot

• Lock the package so zypper cannot upgrade it:

  sudo zypper al umoci                   # add lock
  zypper ll | grep umoci                 # list locks
  sudo zypper rl umoci                   # remove lock

• Install an older NVR if a regression is suspected:

  zypper se -s umoci                     # show all available versions
  sudo zypper install --oldpackage umoci-<older-NVR>

• Disable the AppArmor profile briefly to confirm policy is the cause, then re-enable:

  sudo aa-disable /etc/apparmor.d/usr.sbin.umoci
  # reproduce, capture denials in the journal:
  sudo journalctl -k | grep apparmor | tail
  sudo aa-enforce /etc/apparmor.d/usr.sbin.umoci

• Where SLE Live Patching is licensed, apply kernel fixes without reboot:

  klp -v patches                         # active livepatches
  sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)

Verification & Acceptance Criteria

All of these should pass after the fix:

rpm -q umoci                                            # expected fixed NVR
sudo zypper patch-check                                  # 0 critical patches outstanding
systemctl is-active umoci 2>/dev/null
sudo journalctl -u umoci --since "5 minutes ago" --no-pager | grep -iE "error|fail" || echo OK
sudo firewall-cmd --list-services
sudo aa-status | head -5
sudo zypper ps -s                                        # any services still using deleted libs

The original reproduction for umoci — multiple vulnerabilities (2 CVEs) — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

rpm -qa > /root/rpm-pre.txt
sudo zypper history list > /root/zypper-history-pre.txt
# Snapper takes pre/post snapshots automatically on Btrfs root.
sudo snapper create -d 'pre-patch-umoci'   # explicit named snapshot
sudo snapper list | head

To revert if the patch is bad:

# Preferred on Btrfs root — boot the prior snapshot:
sudo snapper rollback <snapshot-id>
sudo systemctl reboot
# Or downgrade just the package:
sudo zypper install --oldpackage umoci-<older-NVR>
sudo systemctl daemon-reload
sudo systemctl restart umoci
# Custom security policy cleanup:
sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.umoci

Prevention & Hardening

Reduce the chance of this recurring on SLES 15:

• Enable automatic patch installation:

  sudo zypper install -y zypper-automatic
  sudo systemctl enable --now zypper-automatic.timer
  # Or use YaST: yast2 online_update_configuration

• Subscribe to sle-security-updates and watch suse.com/support/update.

• Mirror through SUSE Manager or RMT (Repository Mirroring Tool) for controlled rollouts:

  sudo zypper install -y rmt-server rmt-cli
  sudo rmt-cli sync
  sudo rmt-cli products enable SLES/15/x86_64

• Lock sensitive packages so they cannot be auto-upgraded:

  sudo zypper al umoci

• Ensure Snapper is enabled on the root subvolume and pre/post hooks run for every zypper transaction:

  sudo snapper -c root get-config | head
  # Default zypper plugin: /usr/lib/zypp/plugins/commit/snapper.zypp-commit-plugin

• Monitor file integrity with AIDE:

  sudo zypper install -y aide
  sudo aide --init && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
  sudo aide --check

• Subscribe to SUSE Live Patching so kernel CVEs can be remediated without reboot:

  sudo SUSEConnect -p sle-module-live-patching/15.0/x86_64
  sudo zypper install -y kernel-livepatch-$(uname -r | tr - _)
  klp -v patches

• Keep AppArmor profiles in enforce; review /etc/apparmor.d/ after every package upgrade.

• Apply CIS SUSE Linux Enterprise Server Benchmark hardening.

Related Errors & Cross-Refs

Issues that commonly surface alongside umoci — multiple vulnerabilities (2 CVEs) — patch and remediation guide: zypper lock contention, systemd unit ordering cycles, AppArmor denials, firewalld zone drift, and kernel taint flags. Useful triage:

sudo zypper ps -s
systemd-analyze critical-chain
sudo journalctl -k | grep apparmor | tail
sudo firewall-cmd --get-active-zones
cat /proc/sys/kernel/tainted

View all sles-15 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: SUSE advisory SUSE-SU-2021:1116-1 (see also SUSE bugzilla). Manual pages useful on SLES 15:

man zypper
man zypper.conf
man systemctl
man journalctl
man firewall-cmd
man snapper
man apparmor
man aa-status
man SUSEConnect
man klp

Other resources: SUSE Linux Enterprise Server 15 documentation, suse.com/security, SUSE security blog, and per-package notes in /usr/share/doc/packages/umoci/ for components implicated in umoci — multiple vulnerabilities (2 CVEs) — patch and remediation guide.