Bug 2044434 (CVE-2021-43816)

Summary: CVE-2021-43816 containerd: Unprivileged pod may bind mount any privileged regular file on disk
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aos-bugs, apjagtap, asatyam, bdettelb, caswilli, dbecker, diagrawa, fjansen, go-sig, gparvin, jburrell, jjoyce, joelsmith, jramanat, jschluet, kaycoth, lhh, lpeer, maxwell, mburns, njean, o.lemasle, pahickey, rfreiman, rhos-maint, sabiswas, sclewis, slinaber, spandura, stcannon, tkasparek, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: github.com/containerd/containerd 1.5.9 Doc Type: If docs needed, set a value
Doc Text:
An incorrect permission assignment flaw was found in containerd. This flaw allows a local attacker to use a specially designed text file to read and write files outside of the container's scope.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-09 04:50:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2044435, 2044436, 2047533, 2047534, 2047535, 2047703, 2047706, 2047707, 2047708, 2047709, 2057145, 2057146    
Bug Blocks: 2044437    

Description Pedro Sampaio 2022-01-24 15:37:47 UTC 
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.

https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c
https://github.com/containerd/containerd/issues/6194
https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299
https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea
Comment 1 Pedro Sampaio 2022-01-24 15:38:11 UTC 
Created containerd tracking bugs for this issue:

Affects: epel-7 [bug 2044435]
Affects: fedora-all [bug 2044436]
Comment 8 errata-xmlrpc 2022-03-03 06:58:20 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735
Comment 9 errata-xmlrpc 2022-06-09 02:06:17 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956
Comment 10 Product Security DevOps Team 2022-06-09 04:50:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-43816