Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

fstec логотип

BDU:2023-03675

Опубликовано: 17 нояб. 2021
Источник: fstec
CVSS3: 3
CVSS2: 4
EPSS Низкий

Описание

Уязвимость приложения для упрощения и стандартизации распространения содержимого контейнеров Open Container Initiative Distribution Specification (OCI Distribution Specification) связана с ошибкой смешения типов при обработке заголовка Content-Type, содержащего поля «manifests» и «layers» или «manifests» и «config» в процессе выполнения операций push и pull. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, оказать воздействие на целостность защищаемой информации

Вендор

Red Hat Inc.
Fedora Project
ООО «Ред Софт»
АО «ИВК»
IBM Corp.
Сообщество свободного программного обеспечения
Cloud Native Computing Foundation
Moby Project

Наименование ПО

Red Hat Enterprise Linux
Fedora
РЕД ОС
Альт 8 СП
Red Hat OpenShift Container Platform
Red Hat Advanced Cluster Security (RHACS) for Kubernetes
Red Hat Advanced Cluster Management for Kubernetes
IBM CICS TX Advanced
Red Hat Migration Toolkit for Containers
Podman
Open Container Initiative Distribution Specification
OCI Image Format Specification
Containerd
Moby

Версия ПО

8 (Red Hat Enterprise Linux)
34 (Fedora)
35 (Fedora)
7.3 (РЕД ОС)
- (Альт 8 СП)
4 (Red Hat OpenShift Container Platform)
9 (Red Hat Enterprise Linux)
4.10 (Red Hat OpenShift Container Platform)
3.70 (Red Hat Advanced Cluster Security (RHACS) for Kubernetes)
2.5 (Red Hat Advanced Cluster Management for Kubernetes)
11.1 (IBM CICS TX Advanced)
1.7 (Red Hat Migration Toolkit for Containers)
до 3.4.3 (Podman)
до 1.0.0 включительно (Open Container Initiative Distribution Specification)
до 1.0.1 включительно (OCI Image Format Specification)
до 1.4.12 (Containerd)
от 1.5.0 до 1.5.8 (Containerd)
до 20.10.11 (Moby)
4.11 (Red Hat OpenShift Container Platform)

Тип ПО

Операционная система
Прикладное ПО информационных систем
Средство защиты
Сетевое средство

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Linux 8
Fedora Project Fedora 34
Fedora Project Fedora 35
ООО «Ред Софт» РЕД ОС 7.3
АО «ИВК» Альт 8 СП -
Red Hat Inc. Red Hat Enterprise Linux 9

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 4)
Низкий уровень опасности (базовая оценка CVSS 3.0 составляет 3)

Возможные меры по устранению уязвимости

Использование рекомендаций:
Для Open Container Initiative Distribution Specification:
https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923
https://github.com/opencontainers/distribution-spec/releases/tag/v1.0.1
Для OCI Image Format Specification:
https://github.com/opencontainers/image-spec/releases/tag/v1.0.2
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
Для Podman:
https://github.com/containers/podman/releases/tag/v3.4.3
Для Containerd:
https://github.com/containerd/containerd/releases/tag/v1.4.12
https://github.com/containerd/containerd/releases/tag/v1.5.8
Для Moby:
https://github.com/moby/moby/releases/tag/v20.10.11
Для РедОС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2021-41190
Для Fedora:
ttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/
Для IBM CICS TX Advanced:
https://www.ibm.com/support/pages/security-bulletin-ibm-cics-tx-advanced-vulnerable-open-container-initiative-distribution-specification-vulnerability-cve-2021-41190
Компенсирующие меры:
При извлечении данных из реестра рекомендуется проверять данные с заголовком Content-Type, содержащие поля «manifests» и «layers» или «manifests» и «config» и отклонять такие документы.
Для ОС Альт 8 СП: установка обновления из публичного репозитория программного средства

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 38%
0.00166
Низкий

3 Low

CVSS3

4 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2021-41190

CVSS3: 3
ubuntu
больше 3 лет назад

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are ...

redhat логотип

CVE-2021-41190

CVSS3: 5
redhat
больше 3 лет назад

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are ...

nvd логотип

CVE-2021-41190

CVSS3: 3
nvd
больше 3 лет назад

The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are una

suse-cvrf логотип

openSUSE-SU-2021:1525-1

suse-cvrf
больше 3 лет назад

Security update for singularity

suse-cvrf логотип

SUSE-SU-2025:02282-1

suse-cvrf
25 дней назад

Security update for umoci

EPSS

Процентиль: 38%
0.00166
Низкий

3 Low

CVSS3

4 Medium

CVSS2