Bugzilla – Bug 1196441
VUL-0: CVE-2022-23648: containerd: directory traversal issue
Last modified: 2022-05-16 16:18:42 UTC
**This issue will remain embargoed until March 2, 2022 between 9am and 11am Pacific time,** at which point upstream containerd releases will be available and an advisory will be posted to https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7. This issue has been assigned CVE-2022-23648. **Impact** A bug was found in containerd where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. **Patches** **Patches are attached for containerd 1.6.x, 1.5.x, and 1.4.x. This bug will be fixed in new upstream releases of containerd: 1.6.1, 1.5.11 and 1.4.13.** **Workarounds** Ensure that only trusted images are used. Before you share the information with others based on their need-to-know, you need to get these people to agree to these same terms, optionally (and preferably) with the additional limitation that they may not share the information further (not even with others on their team or within their company, not even based on need-to-know) without explicit approval by you. In case you prefer the [Traffic Light Protocol](http://en.wikipedia.org/wiki/Traffic%20Light%20Protocol) (also explained by [FIRST](https://www.first.org/tlp/) and [US-CERT](https://www.us-cert.gov/tlp)), in its terms this is TLP:AMBER with the need-to-know condition as specified above and with the following additional limitation on sharing: you must not share the information with anyone outside of your team responsible for producing your containerd packages or running shared infrastructure, including not within the rest of your organization nor with your clients or customers, including not in any derived form (not even through delivering or deploying undocumented fixes). Once the embargo is over, this is TLP:WHITE. On behalf of the containerd project, Samuel Karp
Created attachment 856539 [details] containerd-1.4.patch containerd-1.4.patch as attached to rancher github (so formatting might be off)
We don't use CRI in any SLES product (even in the containers module, since running Kubernetes is not supported we don't support containerd's CRI module), but I can prepare an MR with this patch anyway.
(In reply to Aleksa Sarai from comment #6) > We don't use CRI in any SLES product (even in the containers module, since Oops I meant containerd's cri. Obviously cri-o is also a CRI runtime. > running Kubernetes is not supported we don't support containerd's CRI > module), but I can prepare an MR with this patch anyway.
(In reply to Aleksa Sarai from comment #6) > We don't use CRI in any SLES product (even in the containers module, since > running Kubernetes is not supported we don't support containerd's CRI > module), but I can prepare an MR with this patch anyway. Yes please, submit the patch for the following packages: - openSUSE:Factory/containerd - SUSE:SLE-15:Update/containerd - SUSE:SLE-12:Update/containerd
this is public now
SUSE-SU-2022:0720-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1196441 CVE References: CVE-2022-23648 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 15-SP3 (src): containerd-1.4.12-63.1 SUSE Linux Enterprise Micro 5.1 (src): containerd-1.4.12-63.1 SUSE Linux Enterprise Micro 5.0 (src): containerd-1.4.12-63.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0720-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1196441 CVE References: CVE-2022-23648 JIRA References: Sources used: openSUSE Leap 15.4 (src): containerd-1.4.12-63.1 openSUSE Leap 15.3 (src): containerd-1.4.12-63.1
SUSE-SU-2022:0719-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1196441 CVE References: CVE-2022-23648 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.4.13-16.54.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
released
SUSE-SU-2022:0720-2: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1196441 CVE References: CVE-2022-23648 JIRA References: Sources used: SUSE Linux Enterprise Micro 5.2 (src): containerd-1.4.12-63.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1507-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1192814,1193273,1193930,1196441,1197284,1197517 CVE References: CVE-2021-41190,CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.5.11-16.57.1, docker-20.10.14_ce-98.80.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:1689-1: An update that fixes four vulnerabilities is now available. Category: security (important) Bug References: 1193930,1196441,1197284,1197517 CVE References: CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191 JIRA References: Sources used: openSUSE Leap 15.4 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1, docker-kubic-20.10.14_ce-150000.163.1 openSUSE Leap 15.3 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1, docker-kubic-20.10.14_ce-150000.163.1 SUSE Manager Server 4.1 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Manager Retail Branch Server 4.1 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Manager Proxy 4.1 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Server for SAP 15 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Server 15-LTSS (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): containerd-1.5.11-150000.68.1 SUSE Linux Enterprise Module for Containers 15-SP4 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Module for Containers 15-SP3 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Micro 5.2 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Micro 5.1 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise Micro 5.0 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Enterprise Storage 7 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE Enterprise Storage 6 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 SUSE CaaS Platform 4.0 (src): containerd-1.5.11-150000.68.1, docker-20.10.14_ce-150000.163.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.