Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice on the Non-Security Handling Vulnerability of containerd Image Volumes (CVE-2022-23648)
Updated on 2023-11-15 GMT+08:00

Notice on the Non-Security Handling Vulnerability of containerd Image Volumes (CVE-2022-23648)

Description

A vulnerability has been disclosed in the containerd open source community. If an image has malicious attributes, processes in the container may access read-only copies of arbitrary files and directories on the host, causing sensitive information leakage on the host.

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

Container escape

CVE-2022-23648

Medium

2022-02-28

Impact

Containers launched with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may expose potentially sensitive information.

The impact of this vulnerability is as follows:

  1. containerd is used as the Kubernetes CRI runtime, and malicious images from unknown sources are used. This vulnerability is not involved when Docker is used as CRI.
  2. The containerd version is earlier than 1.4.1-96.

Identification Method

On the new CCE console, check the value of Runtime Version on the Nodes page of the CCE Turbo cluster. If the containerd runtime is used and its version is earlier than 1.4.1-96, the vulnerability is involved.

Solution

  1. Use trusted images, not third-party images from unknown sources. SoftWare Repository for Container (SWR) is recommended.
  2. Migrate pods to nodes running a containerd version later than 1.4.1-96 (already available on the CCE console)

Helpful Links

A patch has been released in the community. For details, see https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7