In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image. References: https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42 https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh https://github.com/containerd/containerd/releases/tag/v1.4.12 https://github.com/containerd/containerd/releases/tag/v1.5.8 https://github.com/moby/moby/releases/tag/v20.10.11 https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35
Created containerd tracking bugs for this issue: Affects: epel-7 [bug 2024943] Affects: fedora-all [bug 2024941] Created golang-github-opencontainers-image-spec tracking bugs for this issue: Affects: fedora-all [bug 2024939] Created moby-engine tracking bugs for this issue: Affects: fedora-all [bug 2024940]
OCI Specification updates: https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923
Some container runtime tools updates related to this CVE: https://github.com/containerd/containerd/commit/26c76a3014e71af5ad2f396ec76e0e0ecc8e25a3 - containerd https://github.com/cri-o/cri-o/pull/5468 - CRI-O https://github.com/moby/moby/pull/43025/files - Mody (Docker Engine) https://github.com/containers/image/commit/7bcf9bc8b6a66de47df5b765ccaf69d0efc27011 - skopeo
This issue has been addressed in the following products: OADP-1.0-RHEL-8 Via RHSA-2022:0687 https://access.redhat.com/errata/RHSA-2022:0687
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0055 https://access.redhat.com/errata/RHSA-2022:0055
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-41190
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2022:1734 https://access.redhat.com/errata/RHSA-2022:1734
This issue has been addressed in the following products: RHEL-8-CNV-4.10 Via RHSA-2022:4668 https://access.redhat.com/errata/RHSA-2022:4668
This issue has been addressed in the following products: RHACS-3.70-RHEL-8 Via RHSA-2022:4880 https://access.redhat.com/errata/RHSA-2022:4880
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8 Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7457 https://access.redhat.com/errata/RHSA-2022:7457