Bug 2060029 (CVE-2022-23648) - CVE-2022-23648 containerd: insecure handling of image volumes
Summary: CVE-2022-23648 containerd: insecure handling of image volumes
Keywords:
Status: NEW
Alias: CVE-2022-23648
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2065684 2075884 2075885 2075886 2075887 2075888
Blocks: 2060036
TreeView+ depends on / blocked
 
Reported: 2022-03-02 14:41 UTC by Marian Rehak
Modified: 2024-02-16 19:47 UTC (History)
27 users (show)

Fixed In Version: containerd 1.6.1, containerd 1.5.10, containerd 1.4.13
Doc Type: If docs needed, set a value
Doc Text:
An information leak was discovered in containerd. This issue could allow a remote attacker access to read-only copies of arbitrary files and directories on the host, which can be exploited with a specially-crafted image configuration.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2022-03-02 14:41:29 UTC 
A bug was found in containerd where containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup and expose potentially sensitive information.

Reference:

https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
Comment 1 juneau 2022-03-18 13:28:24 UTC 
Marking Services low impact affected/delegated: containerd is present, but OCP/OSD uses cri-o by default.
Comment 3 Nick Tait 2022-04-15 23:47:05 UTC 
Created containerd tracking bugs for this issue:

Affects: epel-7 [bug 2075884]
Affects: fedora-all [bug 2075885]
Comment 6 Nick Tait 2022-04-22 19:57:23 UTC 
Fix is here: https://github.com/containerd/containerd/commit/fb0b8d6177538c0da2ddd81b90b8c5e6d96f8b0f
Note You need to log in before you can comment on or make changes to this bug.