CVE-2021-43816

containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8 HIGH
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
GitHub_MCNA
8 HIGH
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 35%
VendorProductVersion
linuxfoundationcontainerd
1.5.1 ≤
𝑥
< 1.5.9
linuxfoundationcontainerd
1.5.0
linuxfoundationcontainerd
1.5.0:beta0
linuxfoundationcontainerd
1.5.0:beta1
linuxfoundationcontainerd
1.5.0:beta2
linuxfoundationcontainerd
1.5.0:beta3
linuxfoundationcontainerd
1.5.0:beta4
linuxfoundationcontainerd
1.5.0:rc0
linuxfoundationcontainerd
1.5.0:rc1
linuxfoundationcontainerd
1.5.0:rc2
linuxfoundationcontainerd
1.5.0:rc3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
containerd
bullseye
1.4.13~ds1-1~deb11u4
not-affected
bullseye (security)
1.4.13~ds1-1~deb11u2
fixed
bookworm
1.6.20~ds1-1
fixed
trixie
1.7.22~ds1-1
fixed
sid
1.7.23~ds2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
containerd
noble
Fixed 1.5.9-0ubuntu1
released
mantic
Fixed 1.5.9-0ubuntu1
released
lunar
Fixed 1.5.9-0ubuntu1
released
kinetic
Fixed 1.5.9-0ubuntu1
released
jammy
Fixed 1.5.9-0ubuntu1
released
impish
Fixed 1.5.9-0ubuntu1~21.10.3
released
hirsute
ignored
focal
Fixed 1.5.9-0ubuntu1~20.04.4
released
bionic
Fixed 1.5.9-0ubuntu1~18.04.1
released
xenial
needed
trusty
ignored
Common Weakness Enumeration
References
https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea
https://github.com/containerd/containerd/issues/6194
https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c
https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/
https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea
https://github.com/containerd/containerd/issues/6194
https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c
https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/