#VU51242 Resource management error in containerd


Published: 2021-03-05

Vulnerability identifier: #VU51242

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-21334

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
containerd
Other software / Other software solutions

Vendor: containerd

Description

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists due to incorrect management of internal resources. Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

containerd: 1.4.0 - 1.4.3, 1.3.0 - 1.3.9

External links
http://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4
http://github.com/containerd/containerd/releases/tag/v1.3.10
http://github.com/containerd/containerd/releases/tag/v1.4.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM QRadar Suite Software
Multiple vulnerabilities in IBM Edge Application Manager
Multiple vulnerabilities in IBM MQ Operator
Multiple vulnerabilities in Dell EMC VxRail Appliance
SUSE update for containerd, docker, runc
Gentoo update for containerd
SUSE update for containerd, docker, runc
Ubuntu update for containerd
Information disclosure in containerd