Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes #2821

Closed
miwithro opened this issue Mar 2, 2022 · 6 comments
Closed

CVE-2022-23648: containerd CRI plugin: Insecure handling of image volumes #2821

miwithro opened this issue Mar 2, 2022 · 6 comments
Labels
announcement resolution/answer-provided Provided answer to issue, question or feedback. security

Comments

@miwithro
Copy link
Contributor

miwithro commented Mar 2, 2022
edited
Loading

Impact

A bug was found in containerd where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.

GHSA-crp2-qrr5-8pq7

Patches

Patches are attached for containerd 1.6.x, 1.5.x, and 1.4.x. This bug will be fixed in new upstream releases of containerd: 1.6.1, 1.5.11 and 1.4.13.

Workarounds

Ensure that only trusted images are used.

AKS Information:

Update your node image to 2022.03.02 to remediate this vulnerability.
@miwithro miwithro pinned this issue Mar 2, 2022
@miwithro miwithro unpinned this issue Mar 15, 2022
@github-actions github-actions bot mentioned this issue Mar 24, 2022
Open
@ghost ghost added the action-required label Mar 28, 2022
@github-actions github-actions bot mentioned this issue Apr 2, 2022
Open
@ghost
Copy link

ghost commented Apr 2, 2022

Action required from @Azure/aks-pm

@ghost ghost added the Needs Attention 👋 Issues needs attention/assignee/owner label Apr 2, 2022
@miwithro miwithro removed action-required Needs Attention 👋 Issues needs attention/assignee/owner labels Apr 4, 2022
@Icybiubiubiu
Copy link

checked on vhd image 03/23(which is newer than 03.20), issue was not fixed. Containerd is still on 1.5.9
image

Suppose should be fixed on 03.29
image

@ghost ghost added the action-required label May 7, 2022
@ghost
Copy link

ghost commented May 12, 2022

Action required from @Azure/aks-pm

@ghost ghost added the Needs Attention 👋 Issues needs attention/assignee/owner label May 12, 2022
@ghost
Copy link

ghost commented May 28, 2022

Issue needing attention of @Azure/aks-leads

1 similar comment
@ghost
Copy link

ghost commented Jun 12, 2022

Issue needing attention of @Azure/aks-leads

@CocoWang-wql CocoWang-wql added announcement resolution/answer-provided Provided answer to issue, question or feedback. and removed action-required Needs Attention 👋 Issues needs attention/assignee/owner labels Jun 12, 2022
@ghost
Copy link

ghost commented Jun 14, 2022

Thanks for reaching out. I'm closing this issue as it was marked with "Answer Provided" and it hasn't had activity for 2 days.

@ghost ghost closed this as completed Jun 14, 2022
@ghost ghost locked as resolved and limited conversation to collaborators Jul 14, 2022
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
announcement resolution/answer-provided Provided answer to issue, question or feedback. security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@CocoWang-wql @miwithro @Icybiubiubiu