Notice on the Non-Security Handling Vulnerability of containerd Image Volumes (CVE-2022-23648)
Description
A vulnerability has been disclosed in the containerd open source community. If an image has malicious attributes, processes in the container may access read-only copies of arbitrary files and directories on the host, causing sensitive information leakage on the host.
Type |
CVE-ID |
Severity |
Discovered |
|---|---|---|---|
Container escape |
CVE-2022-23648 |
Medium |
2022-02-28 |
Impact
Containers launched with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may expose potentially sensitive information.
The impact of this vulnerability is as follows:
- containerd is used as the Kubernetes CRI runtime, and malicious images from unknown sources are used. This vulnerability is not involved when Docker is used as CRI.
- The containerd version is earlier than 1.4.1-96.
Identification Method
On the new CCE console, check the value of Runtime Version on the Nodes page of the CCE Turbo cluster. If the containerd runtime is used and its version is earlier than 1.4.1-96, the vulnerability is involved.
Solution
- Use trusted images, not third-party images from unknown sources. SoftWare Repository for Container (SWR) is recommended.
- Migrate pods to nodes running a containerd version later than 1.4.1-96 (already available on the CCE console)
Helpful Links
A patch has been released in the community. For details, see https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
