Date: Wed, 2 Mar 2022 19:17:44 +0000 From: "Karp, Samuel" <skarp@...zon.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes A bug was found in containerd where containers launched through containerd's CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd's CRI implementation. Patches This bug has been fixed in containerd 1.6.1, 1.5.10 and 1.4.13. Users should update to these versions to resolve the issue. Workarounds Ensure that only trusted images are used. If you have any questions or comments about this advisory: * Open an issue  * Email us at security@...tainerd.io if you think you've found a security bug. View this advisory on the web: https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7 On behalf of the containerd project, Samuel Karp  https://github.com/containerd/containerd/issues/new/choose
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.