Описание
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
A flaw was found in containerd package. Containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This issue could cause unexpected behavior for environments that require containers to run as a non-root user.
Отчет
For Red Hat OpenShift GitOps and OpenShift Container Platform deployments, image sources are controlled through OpenShift's Image configuration and RBAC policies. Administrators can restrict image imports to trusted registries using allowedRegistriesForImport and registrySources configuration.In typical GitOps deployments, application images are pulled from pre-approved registries configured by platform administrators.
Меры по смягчению последствий
To mitigate this vulnerability, ensure that only trusted images are used and that only trusted users have permissions to import images. To implement the recommended controls in OpenShift:
- Restrict allowed registries at the cluster level by configuring image.config.openshift.io/cluster with allowedRegistriesForImport and registrySources.allowedRegistries.
- To find out who can pull/import container images into OpenShift for that namespace Based on RBAC permissions:
oc adm policy who-can create imagestreamimports -n <namespace> - Enforce image signature verification using sigstore or cluster image signature policies.
- For GitOps deployments, use Gatekeeper/OPA policies to enforce that ArgoCD Applications reference only approved registries.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai-tech-preview/assisted-installer-agent-rhel8 | Fix deferred | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-acmesolver-rhel9 | Fix deferred | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/jetstack-cert-manager-rhel9 | Fix deferred | ||
| Deployment Validation Operator | deployment-validation-operator-container | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/logging-loki-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-validation-rhel9 | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/assisted-service-8-rhel8 | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/assisted-service-9-rhel9 | Fix deferred | ||
| Network Observability Operator | network-observability/network-observability-cli-rhel9 | Fix deferred | ||
| OpenShift Developer Tools and Services | jenkins-agent-base-container | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
4.6 Medium
CVSS3
Связанные уязвимости
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
containerd is an open-source container runtime. A bug was found in con ...
EPSS
4.6 Medium
CVSS3