Bug 2024938 (CVE-2021-41190)

Summary: CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adam.kaplan, alazar, alitke, aos-bugs, bbaude, bdettelb, bmontgom, caswilli, cnv-qe-bugs, crarobin, dahernan, dwalsh, dwhatley, dymurray, eclipseo, eparis, fdeutsch, fjansen, gghezzo, go-sig, gparvin, ibolton, jburrell, jhrozek, jlanford, jligon, jmadigan, jmatthew, jmontleo, jnovy, joelsmith, jramanat, kaycoth, lgamliel, lhinds, lsm5, maszulik, maxwell, mfilanov, mfojtik, mheon, mrogers, ngough, nstielau, o.lemasle, pahickey, pamccart, pbhattac, pdhamdhe, pthomas, rfreiman, rphillips, rschiron, slucidi, spandura, sponnaga, sseago, stcannon, sttts, tsweeney, umohnani, vkumar, whayutin, xiyuan, xxia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: opencontainers/image-spec 1.0.1 Doc Type: If docs needed, set a value
Doc Text:
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Image Specification, the manifest and index documents were not self-describing and documents with a single digest could be interpreted as either a manifest or an index. In the OCI Image Specification version 1.0.1 there is specified a recommendation that both manifest and index documents contain a `mediaType` field to identify the type of document.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 18:31:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2024939, 2024940, 2024941, 2024943, 2026060, 2026061, 2026062, 2026063, 2026064, 2026065, 2026066, 2026067, 2026068, 2026069, 2026070, 2026071, 2031480, 2031481, 2031724, 2031725, 2031726, 2031871, 2031872, 2032905, 2032906, 2033188, 2033189, 2033190, 2033668, 2033669, 2033685, 2033686, 2085398, 2085399, 2085400, 2087238, 2087243, 2087244, 2087246, 2087249    
Bug Blocks: 2024942    

Description Pedro Sampaio 2021-11-19 14:51:21 UTC 
In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.

References:

https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
https://github.com/containerd/containerd/releases/tag/v1.4.12
https://github.com/containerd/containerd/releases/tag/v1.5.8
https://github.com/moby/moby/releases/tag/v20.10.11
https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35
Comment 1 Pedro Sampaio 2021-11-19 14:51:53 UTC 
Created containerd tracking bugs for this issue:

Affects: epel-7 [bug 2024943]
Affects: fedora-all [bug 2024941]


Created golang-github-opencontainers-image-spec tracking bugs for this issue:

Affects: fedora-all [bug 2024939]


Created moby-engine tracking bugs for this issue:

Affects: fedora-all [bug 2024940]
Comment 2 Przemyslaw Roguski 2021-11-22 20:39:29 UTC 
OCI Specification updates:
https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c
https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923
Comment 4 Przemyslaw Roguski 2021-11-23 17:33:58 UTC 
Some container runtime tools updates related to this CVE:
https://github.com/containerd/containerd/commit/26c76a3014e71af5ad2f396ec76e0e0ecc8e25a3 - containerd
https://github.com/cri-o/cri-o/pull/5468 - CRI-O
https://github.com/moby/moby/pull/43025/files - Mody (Docker Engine)

https://github.com/containers/image/commit/7bcf9bc8b6a66de47df5b765ccaf69d0efc27011 - skopeo
Comment 18 errata-xmlrpc 2022-02-28 21:20:30 UTC 
This issue has been addressed in the following products:

  OADP-1.0-RHEL-8

Via RHSA-2022:0687 https://access.redhat.com/errata/RHSA-2022:0687
Comment 19 errata-xmlrpc 2022-03-10 13:15:50 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:0055 https://access.redhat.com/errata/RHSA-2022:0055
Comment 20 Product Security DevOps Team 2022-03-10 18:31:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41190
Comment 21 errata-xmlrpc 2022-04-20 23:46:03 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476
Comment 22 errata-xmlrpc 2022-05-05 13:49:34 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:1734 https://access.redhat.com/errata/RHSA-2022:1734
Comment 24 errata-xmlrpc 2022-05-18 20:26:44 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-4.10

Via RHSA-2022:4668 https://access.redhat.com/errata/RHSA-2022:4668
Comment 25 errata-xmlrpc 2022-06-02 02:06:50 UTC 
This issue has been addressed in the following products:

  RHACS-3.70-RHEL-8

Via RHSA-2022:4880 https://access.redhat.com/errata/RHSA-2022:4880
Comment 26 errata-xmlrpc 2022-06-09 02:06:06 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956
Comment 27 errata-xmlrpc 2022-08-10 10:33:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069
Comment 28 errata-xmlrpc 2022-11-08 09:11:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7457 https://access.redhat.com/errata/RHSA-2022:7457