Описание
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either /etc/hosts, /etc/hostname, or /etc/resolv.conf. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.
An incorrect permission assignment flaw was found in containerd. This flaw allows a local attacker to use a specially designed text file to read and write files outside of the container's scope.
Отчет
Because Red Hat OpenStack Platform's director-operator does not use hostPath volumes, the RHOSP Impact has been rated Low impact and no updates will be provided at this time for its containers. In Red Hat OpenShift Container Platform (OCP) the containerd package is not actually used, but because the containerd API is supported the core OCP components are listed as affected by this CVE and the impact is reduced to Low.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | containerd | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicloud-operators-channel-container | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicloud-operators-subscription-container | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicloud-operators-subscription-release-container | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | multicluster-hub-repo-container | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/prometheus-rhel8 | Affected | ||
| Red Hat OpenShift Container Platform 4 | cri-o | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift | Affected | ||
| Red Hat OpenShift Container Platform 4 | openshift-clients | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
8 High
CVSS3
Связанные уязвимости
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.
containerd is an open source container runtime. On installations using ...
Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux
EPSS
8 High
CVSS3