I recognize that Discourse doesn’t directly call pkexec but it is present, setuid root, in the base image. At least when I looked yesterday it looked like it was still the vulnerable version. For defense-in-depth, it would be appropriate to update the base image to address CVE-2021-4034 either by updating the software, removing polkit, removing pkexec, or removing the setuid bit from pkexec.
My mitigation has been to add
- exec: chmod 755 /usr/bin/pkexec
to the custom commands block in container definition YAML files.
If I’m wrong and CVE-2021-4034 has been addressed, please accept my apologies, let us know, and the next person who searches for polkit, pkexec, or CVE-2021-4034 will find this post.