Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tdmZmLWgzY2otd2o5Y80g4w
Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux
Impact
Containers launched through containerd’s CRI implementation on Linux systems which use the SELinux security module and containerd versions since v1.5.0 can cause arbitrary files and directories on the host to be relabeled to match the container process label through the use of specially-configured bind mounts in a hostPath volume. This relabeling elevates permissions for the container, granting full read/write access over the affected files and directories. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.
If you are not using containerd’s CRI implementation (through one of the mechanisms described above), you are not affected by this issue.
Patches
This bug has been fixed in containerd 1.5.9. Because file labels persist independently of containerd, users should both update to these versions as soon as they are released and validate that all files on their host are correctly labeled.
Workarounds
Ensure that no sensitive files or directories are used as a hostPath volume source location. Policy enforcement mechanisms such a Kubernetes Pod Security Policy AllowedHostPaths may be specified to limit the files and directories that can be bind-mounted to containers.
For more information
If you have any questions or comments about this advisory:
- Open an issue in containerd
- Email us at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tdmZmLWgzY2otd2o5Y80g4w
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-mvff-h3cj-wj9c, CVE-2021-43816
References:
- https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c
- https://github.com/containerd/containerd/issues/6194
- https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea
- https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299
- https://nvd.nist.gov/vuln/detail/CVE-2021-43816
- https://lists.fedoraproject.org/archives/list/[email protected]/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/
- https://github.com/advisories/GHSA-mvff-h3cj-wj9c
Blast Radius: 35.8
Affected Packages
go:github.com/containerd/containerd
Dependent packages: 7,158Dependent repositories: 26,380
Downloads:
Affected Version Ranges: >= 1.5.0, < 1.5.9
Fixed in: 1.5.9
All affected versions: 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8
All unaffected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.13, 1.2.14, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 1.5.18, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16, 1.6.17, 1.6.18, 1.6.19, 1.6.20, 1.6.21, 1.6.22, 1.6.23, 1.6.24, 1.6.25, 1.6.26, 1.6.27, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12