Headline
CVE-2021-32760: Archive package allows chmod of file outside of unpack target directory
containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.
Impact
A bug was found in containerd where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.
Patches
This bug has been fixed in containerd 1.5.4 and 1.4.8. Users should update to these versions as soon as they are released. Running containers do not need to be restarted.
Workarounds
Ensure you only pull images from trusted sources.
Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with unexpected files.
For more information
If you have any questions or comments about this advisory:
- Open an issue
- Email us at [email protected] if you think you’ve found a security bug.
Related news
Gentoo Linux Security Advisory 202401-31 - Multiple vulnerabilities have been found in containerd, the worst of which could result in privilege escalation. Versions greater than or equal to 1.6.14 are affected.
Red Hat Security Advisory 2023-5952-01 - An update is now available for Red Hat OpenShift Service Mesh 2.4 for RHEL 8.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
Red Hat OpenStack Platform 16.2 (Train) director Operator containers are available for technology preview.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-11253: kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service * CVE-2019-19794: golang-github-miekg-dns: predictable TXID can lead to response forgeries * CVE-2020-15257: containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation * CVE-2021-29482: ulikunitz/xz: Infinite loop in readUvarint allows for denial of service * CVE-2021-32760: containerd: pulling and extracting crafted container image may result in Unix file permission changes