Bug 1193273 (CVE-2021-41190) - VUL-1: CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion
Summary: VUL-1: CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion
Status: NEW
Alias: CVE-2021-41190
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.2
Hardware: Other Other
: P4 - Low : Minor (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/315195/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-41190:5.0:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-01 09:09 UTC by Robert Frohl
Modified: 2024-07-31 13:09 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-12-01 09:09:41 UTC
rh#2024938

n the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.

References:

https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
https://github.com/containerd/containerd/releases/tag/v1.4.12
https://github.com/containerd/containerd/releases/tag/v1.5.8
https://github.com/moby/moby/releases/tag/v20.10.11

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2024938
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41190
http://seclists.org/oss-sec/2021/q4/123
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
Comment 1 Swamp Workflow Management 2021-12-04 17:16:15 UTC
openSUSE-SU-2021:1525-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1193273
CVE References: CVE-2021-41190
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    singularity-3.8.5-bp153.2.10.1
Comment 4 Swamp Workflow Management 2022-01-27 17:20:34 UTC
SUSE-SU-2022:0213-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1191015,1191121,1191334,1191434,1193273
CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.4.12-16.49.1, docker-20.10.12_ce-98.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-02-04 14:23:44 UTC
openSUSE-SU-2022:0334-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1191015,1191121,1191334,1191434,1193273
CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1, docker-kubic-20.10.12_ce-159.1
Comment 6 Swamp Workflow Management 2022-02-04 14:26:28 UTC
SUSE-SU-2022:0334-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1191015,1191121,1191334,1191434,1193273
CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1
SUSE Linux Enterprise Micro 5.1 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1
SUSE Linux Enterprise Micro 5.0 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-03-04 08:27:56 UTC
SUSE-SU-2022:23018-1: An update that solves 7 vulnerabilities, contains one feature and has one errata is now available.

Category: security (moderate)
Bug References: 1176804,1177598,1181640,1182998,1188520,1188914,1193166,1193273
CVE References: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602,CVE-2021-4024,CVE-2021-41190
JIRA References: SLE-22714
Sources used:
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    conmon-2.0.30-150300.8.3.1, podman-3.4.4-150300.9.3.2
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1
SUSE Linux Enterprise Micro 5.1 (src):    conmon-2.0.30-150300.8.3.1, libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1, podman-3.4.4-150300.9.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-03-04 11:25:22 UTC
openSUSE-SU-2022:23018-1: An update that solves 7 vulnerabilities, contains one feature and has one errata is now available.

Category: security (moderate)
Bug References: 1176804,1177598,1181640,1182998,1188520,1188914,1193166,1193273
CVE References: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602,CVE-2021-4024,CVE-2021-41190
JIRA References: SLE-22714
Sources used:
openSUSE Leap 15.3 (src):    conmon-2.0.30-150300.8.3.1, libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1, podman-3.4.4-150300.9.3.2
Comment 13 Swamp Workflow Management 2022-05-03 19:23:54 UTC
SUSE-SU-2022:1507-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1192814,1193273,1193930,1196441,1197284,1197517
CVE References: CVE-2021-41190,CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.5.11-16.57.1, docker-20.10.14_ce-98.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2023-01-27 14:26:08 UTC
SUSE-SU-2023:0187-1: An update that solves 6 vulnerabilities, contains one feature and has one errata is now available.

Category: security (important)
Bug References: 1181640,1181961,1193166,1193273,1197672,1199790,1202809
CVE References: CVE-2021-20199,CVE-2021-20206,CVE-2021-4024,CVE-2021-41190,CVE-2022-27649,CVE-2022-2989
JIRA References: PED-2771
Sources used:
openSUSE Leap Micro 5.3 (src):    podman-4.3.1-150400.4.11.1
openSUSE Leap 15.4 (src):    podman-4.3.1-150400.4.11.1
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    podman-4.3.1-150400.4.11.1
SUSE Linux Enterprise Micro 5.3 (src):    podman-4.3.1-150400.4.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2023-02-09 11:28:40 UTC
SUSE-SU-2023:0326-1: An update that solves 6 vulnerabilities, contains one feature and has one errata is now available.

Category: security (important)
Bug References: 1181640,1181961,1193166,1193273,1197672,1199790,1202809
CVE References: CVE-2021-20199,CVE-2021-20206,CVE-2021-4024,CVE-2021-41190,CVE-2022-27649,CVE-2022-2989
JIRA References: PED-2771
Sources used:
openSUSE Leap Micro 5.2 (src):    podman-4.3.1-150300.9.15.1
SUSE Linux Enterprise Server for SAP 15-SP3 (src):    podman-4.3.1-150300.9.15.1
SUSE Linux Enterprise Server 15-SP3-LTSS (src):    podman-4.3.1-150300.9.15.1
SUSE Linux Enterprise Micro 5.2 (src):    podman-4.3.1-150300.9.15.1
SUSE Linux Enterprise Micro 5.1 (src):    podman-4.3.1-150300.9.15.1
SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src):    podman-4.3.1-150300.9.15.1
SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src):    podman-4.3.1-150300.9.15.1
SUSE Enterprise Storage 7.1 (src):    podman-4.3.1-150300.9.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Alexandre Vicenzi 2024-07-31 13:09:56 UTC
This issue is fixed in containerd, docker, and podman packages because in SLE 15 SP2 they have github.com/opencontainers/image-spec 1.0.1 or higher.

SLE 15 SP1 is EOL, but it should not be affected as well.