A bug was found in containerd where containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup and expose potentially sensitive information. Reference: https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
Marking Services low impact affected/delegated: containerd is present, but OCP/OSD uses cri-o by default.
Created containerd tracking bugs for this issue: Affects: epel-7 [bug 2075884] Affects: fedora-all [bug 2075885]
Fix is here: https://github.com/containerd/containerd/commit/fb0b8d6177538c0da2ddd81b90b8c5e6d96f8b0f