USN-5521-1: containerd vulnerabilities
15 July 2022
Several security issues were fixed in containerd.
Releases
Packages
- containerd - daemon to control runC
Details
It was discovered that containerd insufficiently restricted permissions on
container root and plugin directories. If a user or automated system were
tricked into launching a specially crafted container image, a remote
attacker could traverse directory contents and modify files and execute
programs on the host file system, possibly leading to privilege escalation.
(CVE-2021-41103)
It was discovered that containerd incorrectly handled file permission
changes. If a user or automated system were tricked into launching a
specially crafted container image, a remote attacker could change
permissions on files on the host file system and possibly escalate
privileges. (CVE-2021-32760)
It was discovered that containerd allows attackers to gain access to read-
only copies of arbitrary files and directories on the host via a specially-
crafted image configuration. An attacker could possibly use this issue to
obtain sensitive information. (CVE-2022-23648)
It was discovered that containerd incorrectly handled certain memory
operations. A remote attacker could use this to cause a denial of service.
(CVE-2022-31030)
Update instructions
The problem can be corrected by updating your system to the following package versions:
Ubuntu 16.04
-
containerd
-
1.2.6-0ubuntu1~16.04.6+esm2
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References
Related notices
- USN-5012-1: containerd, golang-github-docker-containerd-dev, golang-github-containerd-containerd-dev
- USN-5100-1: containerd, golang-github-docker-containerd-dev, golang-github-containerd-containerd-dev
- USN-5776-1: containerd, golang-github-containerd-containerd-dev
- USN-5311-1: containerd, golang-github-containerd-containerd-dev
- USN-5311-2: containerd, golang-github-containerd-containerd-dev