oss-sec mailing list archives
CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes
From: "Karp, Samuel" <skarp () amazon com>
Date: Wed, 2 Mar 2022 19:17:44 +0000
A bug was found in containerd where containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd's CRI implementation. Patches This bug has been fixed in containerd 1.6.1, 1.5.10 and 1.4.13. Users should update to these versions to resolve the issue. Workarounds Ensure that only trusted images are used. If you have any questions or comments about this advisory: * Open an issue [1] * Email us at security () containerd io if you think you've found a security bug. View this advisory on the web: https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7 On behalf of the containerd project, Samuel Karp [1] https://github.com/containerd/containerd/issues/new/choose
Current thread:
- CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes Karp, Samuel (Mar 02)