CVE-2021-43816

Published on: Not Yet Published

Last Modified on: 04/01/2022 02:50:00 PM UTC

CVE-2021-43816 - advisory for GHSA-mvff-h3cj-wj9c

Source: Mitre Source: Nist Print: PDF PDF
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Certain versions of Fedora from Fedoraproject contain the following vulnerability:

containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.

  • CVE-2021-43816 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as CRITICAL severity.
  • Affected Vendor/Software: URL Logo containerd - containerd version >= 1.5.0, < 1.5.9

CVSS3 Score: 9.1 - CRITICAL

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW HIGH NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
CHANGED HIGH HIGH HIGH

CVSS2 Score: 6 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK MEDIUM SINGLE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
Revert "[cri] label etc files for selinux containers" · dweomer/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299
cri + selinux: /etc/hosts from hostPath mount getting relabeled · Issue #6194 · containerd/containerd · GitHub github.com
text/html
URL Logo MISC github.com/containerd/containerd/issues/6194
[SECURITY] Fedora 35 Update: containerd-1.6.0~rc.2-2.fc35 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2022-a0b2a4d594
[cri] label etc files for selinux containers · containerd/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea
containerd CRI plugin: Unprivileged pod using `hostPath` can side-step SELinux · Advisory · containerd/containerd · GitHub github.com
text/html
URL Logo CONFIRM github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c
[SECURITY] Fedora 34 Update: containerd-1.6.0~rc.2-3.fc34 - package-announce - Fedora Mailing-Lists lists.fedoraproject.org
text/html
URL Logo FEDORA FEDORA-2022-f668c3d70d

Related QID Numbers

  • 282386 Fedora Security Update for containerd (FEDORA-2022-a0b2a4d594)
  • 282387 Fedora Security Update for containerd (FEDORA-2022-f668c3d70d)

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
FedoraprojectFedora34AllAllAll
Operating
System
FedoraprojectFedora35AllAllAll
ApplicationLinuxfoundationContainerdAllAllAllAll
ApplicationLinuxfoundationContainerd1.5.0-AllAll
ApplicationLinuxfoundationContainerd1.5.0beta0AllAll
ApplicationLinuxfoundationContainerd1.5.0beta1AllAll
ApplicationLinuxfoundationContainerd1.5.0beta2AllAll
ApplicationLinuxfoundationContainerd1.5.0beta3AllAll
ApplicationLinuxfoundationContainerd1.5.0beta4AllAll
ApplicationLinuxfoundationContainerd1.5.0rc0AllAll
ApplicationLinuxfoundationContainerd1.5.0rc1AllAll
ApplicationLinuxfoundationContainerd1.5.0rc2AllAll
ApplicationLinuxfoundationContainerd1.5.0rc3AllAll
  • cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
  • cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
  • cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:linuxfoundation:containerd:1.5.0:-:*:*:*:*:*:*:
  • cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta0:*:*:*:*:*:*:
  • cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta1:*:*:*:*:*:*:
  • cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta2:*:*:*:*:*:*:
  • cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta3:*:*:*:*:*:*:
  • cpe:2.3:a:linuxfoundation:containerd:1.5.0:beta4:*:*:*:*:*:*:
  • cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc0:*:*:*:*:*:*:
  • cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc2:*:*:*:*:*:*:
  • cpe:2.3:a:linuxfoundation:containerd:1.5.0:rc3:*:*:*:*:*:*:

Social Mentions

Source Title Posted (UTC)
Twitter Icon @containerd containerd 1.5.9 has been released to fix CVE-2021-43816. See advisory and release notes for more details github.com/containerd/con… 2022-01-05 18:13:21
Twitter Icon @CVEreport CVE-2021-43816 : containerd is an open source container runtime. On installations using SELinux, such as EL8 CentO… twitter.com/i/web/status/1… 2022-01-05 18:57:29
Twitter Icon @d_feldman unprivileged containers with the same privileges as privileged containers https://t.co/Gey6HJdV8S 2022-01-05 20:59:56
© CVE.report 2022 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report