Bugzilla – Bug 1191121
VUL-0: CVE-2021-41103: containerd: file access to local users
Last modified: 2022-02-04 14:26:13 UTC
is public https://github.com/containerd/containerd/security/advisories/GHSA-c2h3-6mxw-7mvq Insufficiently restricted permissions on container root and plugin directories moderate dmcgowan published GHSA-c2h3-6mxw-7mvq 2 days ago Package github.com/containerd/containerd (go) Affected versions <1.4.11,<1.5.7 Patched versions 1.4.11,1.5.7 Description Impact A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. Patches This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Workarounds Limit access to the host to trusted users. Update directory permission on container bundles directories. For more information If you have any questions or comments about this advisory: Open an issue in github.com/containerd/containerd Email us at security@containerd.io
SUSE-SU-2021:3336-1: An update that solves 6 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1102408,1185405,1187704,1188282,1191015,1191121,1191334,1191355,1191434 CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.4.11-16.45.1, docker-20.10.9_ce-98.72.1, runc-1.0.2-16.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:3506-1: An update that solves 6 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434 CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 JIRA References: Sources used: openSUSE Leap 15.3 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, docker-kubic-20.10.9_ce-156.1, runc-1.0.2-23.1
SUSE-SU-2021:3506-1: An update that solves 6 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434 CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 JIRA References: Sources used: SUSE MicroOS 5.1 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE MicroOS 5.0 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Server for SAP 15 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Server 15-LTSS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Module for Containers 15-SP3 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise Module for Containers 15-SP2 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1 SUSE Enterprise Storage 7 (src): runc-1.0.2-23.1 SUSE Enterprise Storage 6 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 SUSE CaaS Platform 4.0 (src): containerd-1.4.11-56.1, docker-20.10.9_ce-156.1, runc-1.0.2-23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1404-1: An update that solves 6 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1102408,1185405,1187704,1188282,1190826,1191015,1191121,1191334,1191355,1191434 CVE References: CVE-2021-30465,CVE-2021-32760,CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103 JIRA References: Sources used: openSUSE Leap 15.2 (src): containerd-1.4.11-lp152.2.12.1, docker-20.10.9_ce-lp152.2.18.1, runc-1.0.2-lp152.2.9.1
SUSE-SU-2022:0213-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1191015,1191121,1191334,1191434,1193273 CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.4.12-16.49.1, docker-20.10.12_ce-98.75.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2022:0334-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1191015,1191121,1191334,1191434,1193273 CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190 JIRA References: Sources used: openSUSE Leap 15.3 (src): containerd-1.4.12-60.1, docker-20.10.12_ce-159.1, docker-kubic-20.10.12_ce-159.1
SUSE-SU-2022:0334-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 1191015,1191121,1191334,1191434,1193273 CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 15-SP3 (src): containerd-1.4.12-60.1, docker-20.10.12_ce-159.1 SUSE Linux Enterprise Micro 5.1 (src): containerd-1.4.12-60.1, docker-20.10.12_ce-159.1 SUSE Linux Enterprise Micro 5.0 (src): containerd-1.4.12-60.1, docker-20.10.12_ce-159.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.