CVE-2021-43816

Summary

CVE	CVE-2021-43816
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-01-05 19:15:00 UTC
Updated	2023-11-07 03:39:00 UTC
Description	containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.

Risk And Classification

Problem Types: CWE-281

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Application	Linuxfoundation	Containerd	All	All	All	All
Application	Linuxfoundation	Containerd	1.5.0	-	All	All
Application	Linuxfoundation	Containerd	1.5.0	beta0	All	All
Application	Linuxfoundation	Containerd	1.5.0	beta1	All	All
Application	Linuxfoundation	Containerd	1.5.0	beta2	All	All
Application	Linuxfoundation	Containerd	1.5.0	beta3	All	All
Application	Linuxfoundation	Containerd	1.5.0	beta4	All	All
Application	Linuxfoundation	Containerd	1.5.0	rc0	All	All
Application	Linuxfoundation	Containerd	1.5.0	rc1	All	All
Application	Linuxfoundation	Containerd	1.5.0	rc2	All	All
Application	Linuxfoundation	Containerd	1.5.0	rc3	All	All

References

Reference	Source	Link	Tags
Revert "[cri] label etc files for selinux containers" · dweomer/containerd@f7f08f0 · GitHub	MISC	github.com
cri + selinux: /etc/hosts from hostPath mount getting relabeled · Issue #6194 · containerd/containerd · GitHub	MISC	github.com
[SECURITY] Fedora 35 Update: containerd-1.6.0~rc.2-2.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 35 Update: containerd-1.6.0~rc.2-2.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 34 Update: containerd-1.6.0~rc.2-3.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[cri] label etc files for selinux containers · containerd/containerd@a731039 · GitHub	MISC	github.com
containerd CRI plugin: Unprivileged pod using `hostPath` can side-step SELinux · Advisory · containerd/containerd · GitHub	CONFIRM	github.com
[SECURITY] Fedora 34 Update: containerd-1.6.0~rc.2-3.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

182587 Debian Security Update for containerd (CVE-2021-43816)
282386 Fedora Security Update for containerd (FEDORA-2022-a0b2a4d594)
282387 Fedora Security Update for containerd (FEDORA-2022-f668c3d70d)
502050 Alpine Linux Security Update for containerd
504645 Alpine Linux Security Update for containerd
6140264 AWS Bottlerocket Security Update for containerd (GHSA-x6g3-r23m-qfv9)