Gentoo update for containerd



Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2020-15257
CVE-2021-21334
CWE-ID CWE-284
CWE-399
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Gentoo Linux
Operating systems & Components / Operating system

Vendor Gentoo

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU48795

Risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2020-15257

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges.

Mitigation

Update the affected packages.
app-emulation/containerd to version: 1.4.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202105-33


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Resource management error

EUVDB-ID: #VU51242

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-21334

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists due to incorrect management of internal resources. Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.

Mitigation

Update the affected packages.
app-emulation/containerd to version: 1.4.4

Vulnerable software versions

Gentoo Linux: All versions

CPE2.3 External links

http://security.gentoo.org/
http://security.gentoo.org/glsa/202105-33


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###