Bugzilla – Bug 1193273
VUL-1: CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion
Last modified: 2023-02-09 11:28:40 UTC
rh#2024938 n the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image. References: https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42 https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh https://github.com/containerd/containerd/releases/tag/v1.4.12 https://github.com/containerd/containerd/releases/tag/v1.5.8 https://github.com/moby/moby/releases/tag/v20.10.11 References: https://bugzilla.redhat.com/show_bug.cgi?id=2024938 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41190 http://seclists.org/oss-sec/2021/q4/123 https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190 https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
openSUSE-SU-2021:1525-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1193273 CVE References: CVE-2021-41190 JIRA References: Sources used: openSUSE Backports SLE-15-SP3 (src): singularity-3.8.5-bp153.2.10.1
SUSE-SU-2022:0213-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1191015,1191121,1191334,1191434,1193273 CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.4.12-16.49.1, docker-20.10.12_ce-98.75.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0334-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1191015,1191121,1191334,1191434,1193273 CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190 JIRA References: Sources used: openSUSE Leap 15.3 (src): containerd-1.4.12-60.1, docker-20.10.12_ce-159.1, docker-kubic-20.10.12_ce-159.1
SUSE-SU-2022:0334-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1191015,1191121,1191334,1191434,1193273 CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 15-SP3 (src): containerd-1.4.12-60.1, docker-20.10.12_ce-159.1 SUSE Linux Enterprise Micro 5.1 (src): containerd-1.4.12-60.1, docker-20.10.12_ce-159.1 SUSE Linux Enterprise Micro 5.0 (src): containerd-1.4.12-60.1, docker-20.10.12_ce-159.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:23018-1: An update that solves 7 vulnerabilities, contains one feature and has one errata is now available. Category: security (moderate) Bug References: 1176804,1177598,1181640,1182998,1188520,1188914,1193166,1193273 CVE References: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602,CVE-2021-4024,CVE-2021-41190 JIRA References: SLE-22714 Sources used: SUSE Linux Enterprise Module for Containers 15-SP3 (src): conmon-2.0.30-150300.8.3.1, podman-3.4.4-150300.9.3.2 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1 SUSE Linux Enterprise Micro 5.1 (src): conmon-2.0.30-150300.8.3.1, libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1, podman-3.4.4-150300.9.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:23018-1: An update that solves 7 vulnerabilities, contains one feature and has one errata is now available. Category: security (moderate) Bug References: 1176804,1177598,1181640,1182998,1188520,1188914,1193166,1193273 CVE References: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602,CVE-2021-4024,CVE-2021-41190 JIRA References: SLE-22714 Sources used: openSUSE Leap 15.3 (src): conmon-2.0.30-150300.8.3.1, libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1, podman-3.4.4-150300.9.3.2
SUSE-SU-2022:1507-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1192814,1193273,1193930,1196441,1197284,1197517 CVE References: CVE-2021-41190,CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.5.11-16.57.1, docker-20.10.14_ce-98.80.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0187-1: An update that solves 6 vulnerabilities, contains one feature and has one errata is now available. Category: security (important) Bug References: 1181640,1181961,1193166,1193273,1197672,1199790,1202809 CVE References: CVE-2021-20199,CVE-2021-20206,CVE-2021-4024,CVE-2021-41190,CVE-2022-27649,CVE-2022-2989 JIRA References: PED-2771 Sources used: openSUSE Leap Micro 5.3 (src): podman-4.3.1-150400.4.11.1 openSUSE Leap 15.4 (src): podman-4.3.1-150400.4.11.1 SUSE Linux Enterprise Module for Containers 15-SP4 (src): podman-4.3.1-150400.4.11.1 SUSE Linux Enterprise Micro 5.3 (src): podman-4.3.1-150400.4.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0326-1: An update that solves 6 vulnerabilities, contains one feature and has one errata is now available. Category: security (important) Bug References: 1181640,1181961,1193166,1193273,1197672,1199790,1202809 CVE References: CVE-2021-20199,CVE-2021-20206,CVE-2021-4024,CVE-2021-41190,CVE-2022-27649,CVE-2022-2989 JIRA References: PED-2771 Sources used: openSUSE Leap Micro 5.2 (src): podman-4.3.1-150300.9.15.1 SUSE Linux Enterprise Server for SAP 15-SP3 (src): podman-4.3.1-150300.9.15.1 SUSE Linux Enterprise Server 15-SP3-LTSS (src): podman-4.3.1-150300.9.15.1 SUSE Linux Enterprise Micro 5.2 (src): podman-4.3.1-150300.9.15.1 SUSE Linux Enterprise Micro 5.1 (src): podman-4.3.1-150300.9.15.1 SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src): podman-4.3.1-150300.9.15.1 SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src): podman-4.3.1-150300.9.15.1 SUSE Enterprise Storage 7.1 (src): podman-4.3.1-150300.9.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.