Mcgowan

**Name of the Vulnerable Software and Affected Versions** containerd versions prior to 1.4.11 containerd versions prior to 1.5.7 **Description** A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. **Recommendations** Update to containerd version 1.4.11 or later to fix the vulnerability. Update to containerd version 1.5.7 or later to fix the vulnerability. As a temporary workaround, consider restarting containers or updating directory permissions to mitigate the vulnerability. Limit access to the host to trusted users. Update directory permission on container bundles directories.

**Name of the Vulnerable Software and Affected Versions** containerd versions prior to 1.4.8 and 1.5.4 **Description** The issue is related to a bug in containerd that allows pulling and extracting a specially-crafted container image to result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. **Recommendations** For containerd versions prior to 1.4.8, update to version 1.4.8 as soon as possible. For containerd versions prior to 1.5.4, update to version 1.5.4 as soon as possible. As a temporary workaround, ensure that users only pull images from trusted sources. Consider using Linux security modules (LSMs) like SELinux and AppArmor to limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.

**Name of the Vulnerable Software and Affected Versions** containerd versions prior to 1.3.10 containerd versions prior to 1.4.4 **Description** The issue is related to the disclosure of information in the error data area of the containerd runtime environment. Containers launched through containerd's CRI implementation that share the same image may receive incorrect environment variables, including values defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. **Recommendations** Update to containerd version 1.3.10 or later. Update to containerd version 1.4.4 or later. As a temporary workaround, consider avoiding the launch of multiple containers or Kubernetes pods from the same image with different environment variables in rapid succession. Restrict the use of containerd's CRI implementation to minimize the risk of exploitation.