containerd CRI plugin: Insecure handling of image volumes

Overview

Source
ID
GHSA-crp2-qrr5-8pq7
Aliases
CVE-2022-23648
GO-2022-0344
Affected package

Description

### Impact

A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.

### Patches

This bug has been fixed in containerd 1.6.1, 1.5.10 and 1.4.13. Users should update to these versions to resolve the issue.

### Workarounds

Ensure that only trusted images are used.

### Credits

The containerd project would like to thank Felix Wilhelm of Google Project Zero for responsibly disclosing this issue in accordance with the [containerd security policy](https://github.com/containerd/project/blob/main/SECURITY.md).

### For more information

If you have any questions or comments about this advisory:

* Open an issue in [containerd](https://github.com/containerd/containerd/issues/new/choose) * Email us at [security@containerd.io](mailto:security@containerd.io)

Impact

Severity
Latest version of the CVSS score reported by the source of the advisory.
7.5 HIGH
Reference links
http://packetstormsecurity.com/files/166421/containerd-Image-Volume-Insecure-Handling.html
https://github.com/containerd/containerd
https://github.com/containerd/containerd/commit/10f428dac7cec44c864e1b830a4623af27a9fc70
https://github.com/containerd/containerd/releases/tag/v1.4.13
https://github.com/containerd/containerd/releases/tag/v1.5.10
https://github.com/containerd/containerd/releases/tag/v1.6.1
https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-crp2-qrr5-8pq7/GHSA-crp2-qrr5-8pq7.json
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AUDQUQBZJGBWJPMRVB6QCCCRF7O3O4PA
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFTS2EF3S7HNYSNZSEJZIJHPRU7OPUV3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OCCARJ6FU4MWBTXHZNMS7NELPDBIX2VO
https://nvd.nist.gov/vuln/detail/CVE-2022-23648
https://security.gentoo.org/glsa/202401-31
https://www.debian.org/security/2022/dsa-5091

Summary

3.81k
Total packages affected
Packages with at least one version that is affected by the advisory or has an affected dependency.
1.24k
Packages with a known fix
Packages with versions affected by the advisory that have a greater version that is not affected.
0.28%
Total ecosystem affected
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
github.com/containerd/containerd
Affected Version: Introduced: 0, Fixed: 1.4.13, Introduced: 1.5.0, Fixed: 1.5.10, Introduced: 1.6.0, Fixed: 1.6.1
Patched/Unaffected
v1.4.13
v1.5.0-beta.0.0.20210121172153-83f8d6126b79
v1.5.0-beta.0.0.20210122062454-5a66c2ae5cec
v1.5.0-beta.1.0.20210205215132-cfa842c27869
v1.5.0-beta.2.0.20210226165227-07a3ce3d7f88
v1.5.0-beta.3.0.20210305053546-02334356d077
v1.5.0-beta.4.0.20210316174528-f201b78b9065
v1.5.0-beta.4.0.20210324020557-31a0f92df1f3
v1.5.0-beta.4.0.20210402042452-261c107ffc4f
v1.5.0-rc.0.0.20210409053044-6636e3618250
v1.5.0-rc.1.0.20210413152643-f968359ecb3b
v1.5.0-rc.2.0.20210420163742-c3f5a6a93dae
v1.5.0-rc.3.0.20210430031718-df0cc5bd1848
v1.5.10
v1.5.11
v1.5.12-0.20220426184150-3ae69840dbf6
v1.5.12
v1.5.13
v1.5.14
v1.5.15
v1.5.16
v1.5.17
v1.5.18
v1.6.0-beta.0.0.20211011182951-5b29542cbee3
v1.6.0-beta.0.0.20211022154552-fc5c51d5f4eb
v1.6.0-beta.1.0.20211022213938-45c5298700a8
v1.6.0-beta.1.0.20211101005050-f0d3ea96cf8c
v1.6.0-beta.2.0.20211111224154-bd81f8a39d85
v1.6.0-beta.2.0.20211112054404-aa1b0736165c
v1.6.0-beta.2.0.20211117185425-a776a27af54a
v1.6.0-beta.2.0.20211118163723-aa2733c20207
v1.6.0-beta.3.0.20211119174132-1a88cf524244
v1.6.0-beta.4.0.20211214160527-d0da25cf54f8
v1.6.0-beta.5.0.20220106171654-857b35de6c6d
v1.6.0-beta.5.0.20220106193438-3ccd43c8f685
v1.6.0-rc.0.0.20220112172229-6e211a774ff0
v1.6.0-rc.1.0.20220120031347-ad771115b82a
v1.6.0-rc.1.0.20220126004311-3f5d789dfb30
v1.6.0-rc.1.0.20220127150749-a43703fcba54
v1.6.0-rc.1.0.20220128165351-9c676e98dde9
v1.6.0-rc.2.0.20220203165418-943ca856ad70
v1.6.0-rc.3.0.20220208164226-a9f61ba2c84a
v1.6.0-rc.4.0.20220210062109-0340e84cde93
v1.6.1
v1.6.2
v1.6.3-0.20220401172941-5ff8fce1fcc6
v1.6.3
v1.6.4
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.6.10
v1.6.11
v1.6.12
v1.6.13
v1.6.14
v1.6.15
v1.6.16-0.20230124210447-1709cfe273d9
v1.6.16
v1.6.17
v1.6.18
v1.6.19
v1.6.20
v1.6.21
v1.6.22
v1.6.23
v1.6.24
v1.6.25
v1.6.26
v1.6.27
v1.6.28
v1.6.29
v1.6.30
v1.6.31
v1.6.32
v1.6.33
v1.6.34
v1.6.35
v1.6.36
v1.6.37
v1.6.38
v1.7.0-beta.0.0.20221025232920-d878d7dda8d9
v1.7.0-beta.0.0.20221212180621-2a76a1e78de8
v1.7.0-beta.1.0.20221213052408-7db53e0e8cde
v1.7.0-beta.2.0.20230104184621-ef9c2a689a22
v1.7.0-beta.3.0.20230128063521-b8962099e7ce
v1.7.0-beta.4.0.20230216180416-8d4f9b6335c1
v1.7.0-rc.0.0.20230227175025-2be87c1a7550
v1.7.0-rc.1.0.20230302210336-081d81858d65
v1.7.0-rc.2.0.20230307175103-94cf2f50999c
v1.7.0-rc.3.0.20230309042526-8cc09e6a71de
v1.7.0
v1.7.1-0.20230703133900-330273d2362f
v1.7.1-0.20230706191712-3c250cb508aa
v1.7.1-0.20230718202420-e26b669ba9a9
v1.7.1-0.20230829223420-779875a057ff
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9
v1.7.10
v1.7.11
v1.7.12
v1.7.13
v1.7.14
v1.7.15-0.20240329193453-0dcf21c1528a
v1.7.15
v1.7.16
v1.7.17
v1.7.18
v1.7.19
v1.7.20
v1.7.21-0.20240730235713-20966044526b
v1.7.21
v1.7.22
v1.7.23
v1.7.24
v1.7.25-0.19700101000000-142e855138e3
v1.7.25
v1.7.26
v1.7.27
Affected
v1.6.1-0.20220401213713-9766107a53d9
v1.6.1-0.20220322211718-388ee880d23a
v1.6.0
v1.5.9
v1.5.8
v1.5.7
v1.5.6
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.12
v1.4.11
v1.4.10
v1.4.9
v1.4.8
v1.4.7
v1.4.6
v1.4.5
v1.4.4
v1.4.3
v1.4.2
v1.4.1
v1.4.1-0.20201229174909-9067796ce4c8
v1.4.1-0.20201215193253-e922d5553d12
v1.4.1-0.20201214195303-23315f8647ee
v1.4.1-0.20201211190449-004214808a0a
v1.4.1-0.20201208141117-1e624fa3deb4
v1.4.1-0.20201204210828-e98d7f8eaafc
v1.4.1-0.20201117152358-0edc412565dc
v1.4.1-0.20201110220052-687fcd73ec53
v1.4.1-0.20201014210714-22aea1e9a7a0
v1.4.1-0.20200903181227-d4e78200d6da
v1.4.0
v1.4.0-rc.1.0.20200811230809-e9f94064b961
v1.4.0-rc.0.0.20200804175707-85b15eff4581
v1.4.0-beta.2.0.20200730150746-fa1220fce33f
v1.4.0-beta.2.0.20200729163537-40b22ef07410
v1.4.0-beta.2.0.20200728183644-eb6354a11860
v1.4.0-beta.2.0.20200722033631-1a571fcf1b0b
v1.4.0-beta.2.0.20200713162307-5d470fa23bf9
v1.4.0-beta.1.0.20200615192441-ae2f3fdfd1a4
v1.4.0-beta.1.0.20200528154029-8e9ba8376ec2
v1.4.0-beta.0.0.20200514232050-32985949d4f2
v1.3.10
v1.3.9
v1.3.8
v1.3.7
v1.3.6
v1.3.5
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.1-0.20200507183255-990076b731ec
v1.3.1-0.20200227195959-4d242818bf55
v1.3.1-0.20200219222124-986d06785c4a
v1.3.1-0.20191213020239-082f7e3aed57
v1.3.1-0.20191014053712-acdcf13d5eaf
v1.3.1-0.20191007173812-901bcb223146
v1.3.0
v1.3.0-rc.3.0.20190925122936-da66333271f3
v1.3.0-rc.2.0.20190924150618-aba201344ebf
v1.3.0-rc.2.0.20190920004303-a0dafd9309e9
v1.3.0-rc.1.0.20190912204600-9741f03932fb
v1.3.0-rc.0.0.20190904234633-59a625defb21
v1.3.0-beta.2.0.20190828155532-0293cbd26c69
v1.3.0-beta.2.0.20190823190603-4a2f61c4f2b4
v1.3.0-beta.2.0.20190820170855-640860a042b9
v1.3.0-beta.1.0.20190809132136-f06e605f1aef
v1.3.0-beta.0.0.20190808172034-23faecfb66ab
v1.3.0-beta.0.0.20190731202334-053853fe3ffc
v1.2.14
v1.2.13
v1.2.12
v1.2.11
v1.2.10
v1.2.9
v1.2.8
v1.2.7
v1.2.7-0.20190510190154-d0319ec44af6
v1.2.6
v1.2.5
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.1-rc.0.0.20181121183049-de1f167ab963
v1.2.1-0.20190510150246-481103c87933
v1.2.1-0.20190507210959-7c1e88399ec0
v1.2.1-0.20190426060238-3a3f0aac8819
v1.2.1-0.20190321141026-ceba56893a76
v1.2.1-0.20190214164719-faec567304bb
v1.2.1-0.20190212172151-f5b0fa220df8
v1.2.0
v1.2.0-rc.2.0.20181016180345-d6de12e2f362
v1.2.0-rc.1.0.20181003214326-0c5f8f63c336
v1.2.0-rc.0.0.20180925133938-3bc4ba271e1c
v1.2.0-rc.0.0.20180920203058-99fc40fd6088
v1.2.0-beta.2.0.20180915010629-0dc7636c0bcd
v1.2.0-beta.2.0.20180828185126-ce243288e279
v1.2.0-beta.1.0.20180823192832-ac18e6008772
v1.2.0-beta.0.0.20180816075740-6f13ff3ea48a
v1.1.8
v1.1.7
v1.1.6
v1.1.5
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1.1-rc.2.0.20180627200031-e5fb877b9f6c
v1.1.1-rc.1.0.20180618184725-cbef57047e90
v1.1.1-rc.0.0.20180531235051-395068d2b725
v1.1.1-0.20180706181834-b41633746ed4
v1.1.0
v1.1.0-rc.2.0.20180413230405-f630d5f0a639
v1.1.0-rc.1.0.20180405001410-2bc17ef2cbff
v1.1.0-rc.0.0.20180327161904-7833fb49fdb0
v1.0.3
v1.0.3-rc.0.0.20180329172358-2b3b44fd7d1c
v1.0.2
v1.0.2-rc.1.0.20180206194959-53aaa89850e8
v1.0.2-rc.0.0.20180130231502-8b098d036b71
v1.0.1
v1.0.1-rc.0.0.20180111194836-1549ddad67ad
v1.0.0
v1.0.0-rc.0.0.20171201003522-08f179386e13
v1.0.0-beta.3.0.20171108192226-2b8ed96d2a42
v1.0.0-beta.2.0.20171012010950-a543c937eb0a
v1.0.0-beta.1.0.20170922204455-20c621178a5f
v1.0.0-beta.0.0.20170906232613-d0457b221369
v1.0.0-alpha6.0.20170823223613-f05281743e5a
v1.0.0-alpha5.0.20170817231637-b2ee0ab34eaf
v1.0.0-alpha4.0.20170810221814-56d499e114cd
v1.0.0-alpha3.0.20170802231211-0fa76584f836
v1.0.0-alpha2.0.20170726224524-856b03843737
v1.0.0-alpha1.0.20170719232339-0b3e572b8528
v1.0.0-alpha0.0.20170713002203-8eadcb8c2899
v0.2.9
v0.2.8
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.0