Notice of Apache containerd Security Vulnerability (CVE-2020-15257)
Description
CVE-2020-15257 is a Docker container escape vulnerability officially released by containerd. containerd is a container runtime underpinning Docker and common Kubernetes configurations. It handles abstractions related to containerization and provides APIs to manage container lifecycles. Attackers, under certain circumstances, can access the containerd-shim API to implement Docker container escape.
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Docker container escape |
Medium |
2020-11-30 |
Impact
CCE clusters from v1.9 to v1.17.9.
If the host network is not used and the processes in a container are not run by user root (UID is 0), this vulnerability is not involved.
Solution
You are advised to run containers with least privilege and impose the following restrictions on untrusted containers:
- Host network cannot be used.
- Processes in a container cannot be run by user root.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.