CVE-2021-32760

Name of the Vulnerable Software and Affected Versions containerd versions prior to 1.4.8 and 1.5.4

Description The issue is related to a bug in containerd that allows pulling and extracting a specially-crafted container image to result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process.

Recommendations For containerd versions prior to 1.4.8, update to version 1.4.8 as soon as possible. For containerd versions prior to 1.5.4, update to version 1.5.4 as soon as possible. As a temporary workaround, ensure that users only pull images from trusted sources. Consider using Linux security modules (LSMs) like SELinux and AppArmor to limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.