Help Center> Cloud Container Engine> Product Bulletin> Vulnerability Notices> Notice on the Apache containerd Security Vulnerability (CVE-2020-15257)
Updated on 2023-11-15 GMT+08:00
View PDF

Notice on the Apache containerd Security Vulnerability (CVE-2020-15257)

Description

CVE-2020-15257 is a Docker container escape vulnerability officially released by containerd. containerd is a container runtime underpinning Docker and common Kubernetes configurations. It handles abstractions related to containerization and provides APIs to manage container lifecycles. Attackers, under certain circumstances, can access the containerd-shim API to implement Docker container escape.

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

Docker container escape

CVE-2020-15257

Medium

2020-11-30

Impact

CCE clusters from v1.9 to v1.17.9.

If the host network is not used and the processes in a container are not run by user root (UID is 0), this vulnerability is not involved.

Solution

You are advised to run containers with least privilege and impose the following restrictions on untrusted containers:

  1. Host network cannot be used.
  2. Processes in a container cannot be run by user root.

Helpful Links

containerd-shim API exposed to host network containers

Parent topic: Vulnerability Notices