A flaw was found in libcni. A user may be able to change the "type:" field in a CNI configuration to an arbitrary path and could execute arbitrary binaries on a host. Upstream patch: https://github.com/containernetworking/cni/pull/808
Upstream fix: https://github.com/containernetworking/cni/pull/808
Generally for this vulnerability adding and removing network definitions will be a privileged operation. However as this is a library it's difficult to determine all uses and as such considering the worst case and as this is unexpected behaviour it's considered a security issue. The greatest risk will be to applications which load network definitions - however as it is a go mod library, go binaries which depend on containernetworking/cni may also be affected by this and affects for OpenShift containers have been added as such.
containernetworking-plugins package should be looked at. It uses github.com/containernetworking/plugins which vendors in containernetworking/cni. https://github.com/containernetworking/plugins/blob/master/go.mod#L10
(In reply to Lokesh Mandvekar from comment #7) > containernetworking-plugins package should be looked at. It uses > github.com/containernetworking/plugins which vendors in > containernetworking/cni. > https://github.com/containernetworking/plugins/blob/master/go.mod#L10 This package is present in both RHEL and Fedora.
Our scans for the containers should account for that - but i'll double check to make sure. We're just confirming the RPM affects now, but good point about the rpm tho, will do, thanks @lsm5!
Created containernetworking-plugins tracking bugs for this issue: Affects: fedora-all [bug 1925399] Created golang-github-containernetworking-cni tracking bugs for this issue: Affects: fedora-all [bug 1925398]
Acknowledgments: Name: Casey Callendrello (Red Hat)
Created buildah tracking bugs for this issue: Affects: fedora-all [bug 1926796]
Created podman tracking bugs for this issue: Affects: fedora-all [bug 1926801]
Statement: OpenShift ServiceMesh (OSSM) does package a vulnerable version of containernetworking/cni, however, the NetworkDefinitionAttachment is defined in code and cannot be easily changed except through a user who has access to the operator namespace such as cluster-admin. As such, for OSSM, the impact is Low.
This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20206
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1007 https://access.redhat.com/errata/RHSA-2021:1007
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1005 https://access.redhat.com/errata/RHSA-2021:1005
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2021:1552 https://access.redhat.com/errata/RHSA-2021:1552
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:3001 https://access.redhat.com/errata/RHSA-2021:3001
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:0492 https://access.redhat.com/errata/RHSA-2022:0492
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:1660 https://access.redhat.com/errata/RHSA-2022:1660