CVE-2020-15257

Name of the Vulnerable Software and Affected Versions: containerd versions prior to 1.3.9 and 1.4.3

Description: The issue is related to the improper exposure of the containerd-shim API to host network containers. Access controls for the shim's API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges.

Recommendations: To resolve the issue for versions prior to 1.3.9, update to version 1.3.9 or later. To resolve the issue for versions prior to 1.4.3, update to version 1.4.3 or later. As a temporary workaround, consider denying access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@** to your policy. Restrict access to the vulnerable containerd-shim API by running containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. Stop and restart containers started with an old version of containerd-shim after updating, as running containers will continue to be vulnerable even after an upgrade.