CVE-2021-43816

Name of the Vulnerable Software and Affected Versions containerd versions 1.5.0-beta.0 through 1.5.8

Description The issue affects installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd as the backing container runtime interface (CRI). An unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access. This is achieved by placing the in-container location of the hostPath volume mount at either /etc/hosts, /etc/hostname, or /etc/resolv.conf. These locations are being relabeled indiscriminately to match the container process-label, which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files.

Recommendations For containerd versions 1.5.0-beta.0 through 1.5.8, upgrade to version 1.5.9 as soon as possible. As a temporary workaround, ensure that no sensitive files or directories are used as a hostPath volume source location. Consider implementing policy enforcement mechanisms, such as Kubernetes Pod Security Policy, to limit the files and directories that can be bind-mounted to containers.