Описание
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths /var/lib/containerd, /run/containerd/io.containerd.grpc.v1.cri and /run/containerd/io.containerd.sandbox.controller.v1.shim were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
A local privilege escalation vulnerability has been discovered in containerd. This vulnerability is the result of an overly broad default permission which allows local users on the host to potentially access the metadata store, the content store and the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
Меры по смягчению последствий
The system administrator on the host can manually chmod the directories to not have group or world accessible permissions:
An alternative mitigation would be to run containerd in rootless mode.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Assisted Installer for Red Hat OpenShift Container Platform 2 | assisted/agent-preinstall-image-builder-rhel9 | Not affected | ||
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-agent-rhel9 | Affected | ||
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-controller-rhel9 | Affected | ||
| Compliance Operator | compliance/openshift-compliance-must-gather-rhel8 | Not affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9 | Not affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-monitor-rhel9 | Not affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-must-gather-rhel9 | Not affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-operator-bundle | Not affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-podvm-builder-rhel9 | Not affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-podvm-payload-rhel9 | Not affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.7 High
CVSS3
Связанные уязвимости
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
containerd affected by a local privilege escalation via wide permissions on CRI directory
containerd is an open-source container runtime. Versions 0.1.0 through ...
containerd affected by a local privilege escalation via wide permissions on CRI directory
EPSS
7.7 High
CVSS3