SB2021061116 - SUSE update for containerd, docker, runc 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021061116

SB2021061116 - SUSE update for containerd, docker, runc

Published: June 11, 2021

Security Bulletin ID SB2021061116
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2021-21284)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions when using the --userns-remap option. A remote authenticated attacker on the local network can send a specially crafted request and gain elevated privileges as root on the system.


2) Resource exhaustion (CVE-ID: CVE-2021-21285)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick a victim to pull a specially crafted Docker image, trigger resource exhaustion and perform a denial of service (DoS) attack.


3) Resource management error (CVE-ID: CVE-2021-21334)

The vulnerability allows an attacker to gain access to potentially sensitive information.

The vulnerability exists due to incorrect management of internal resources. Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.

4) Security features bypass (CVE-ID: CVE-2021-30465)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the security features bypass issue. A remote authenticated attacker on the local network can perform a symlink exchange attack and host filesystem being bind-mounted into the container.


Remediation

Install update from vendor's website.

References