Bug 2044434 (CVE-2021-43816) - CVE-2021-43816 containerd: Unprivileged pod may bind mount any privileged regular file on disk
Summary: CVE-2021-43816 containerd: Unprivileged pod may bind mount any privileged reg...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-43816
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2044435 2044436 2047533 2047534 2047535 2047703 2047706 2047707 2047708 2047709 2057145 2057146
Blocks: 2044437
TreeView+ depends on / blocked
 
Reported: 2022-01-24 15:37 UTC by Pedro Sampaio
Modified: 2024-04-23 07:23 UTC (History)
32 users (show)

Fixed In Version: github.com/containerd/containerd 1.5.9
Clone Of:
Environment:
Last Closed: 2022-06-09 04:50:32 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0735 0 None None None 2022-03-03 06:58:23 UTC
Red Hat Product Errata RHSA-2022:4956 0 None None None 2022-06-09 02:06:20 UTC

Description Pedro Sampaio 2022-01-24 15:37:47 UTC
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.

https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c
https://github.com/containerd/containerd/issues/6194
https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299
https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea

Comment 1 Pedro Sampaio 2022-01-24 15:38:11 UTC
Created containerd tracking bugs for this issue:

Affects: epel-7 [bug 2044435]
Affects: fedora-all [bug 2044436]

Comment 8 errata-xmlrpc 2022-03-03 06:58:20 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735

Comment 9 errata-xmlrpc 2022-06-09 02:06:17 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956

Comment 10 Product Security DevOps Team 2022-06-09 04:50:29 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-43816


Note You need to log in before you can comment on or make changes to this bug.