[Bug 1973054] Re: containerd regression for CVE-2022-23648 in latest version 1.5.9-0ubuntu1~20.04.1
This bug was fixed in the package containerd - 1.5.9-0ubuntu1~20.04.4 --- containerd (1.5.9-0ubuntu1~20.04.4) focal-security; urgency=medium * SECURITY UPDATE: Insecure handling of image volumes - debian/patches/CVE-2022-23648.patch: Use fs.RootPath when mounting volumes. (LP: #1973054) - CVE-2022-23648 -- Paulo Flabiano Smorigo Thu, 12 May 2022 13:42:43 + -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1973054 Title: containerd regression for CVE-2022-23648 in latest version 1.5.9-0ubuntu1~20.04.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1973054/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1973054] Re: containerd regression for CVE-2022-23648 in latest version 1.5.9-0ubuntu1~20.04.1
This bug was fixed in the package containerd - 1.5.9-0ubuntu1~21.10.3 --- containerd (1.5.9-0ubuntu1~21.10.3) impish-security; urgency=medium * SECURITY UPDATE: Insecure handling of image volumes - debian/patches/CVE-2022-23648.patch: Use fs.RootPath when mounting volumes. (LP: #1973054) - CVE-2022-23648 -- Paulo Flabiano Smorigo Thu, 12 May 2022 13:41:37 + ** Changed in: containerd (Ubuntu Impish) Status: Confirmed => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-23648 ** Changed in: containerd (Ubuntu Focal) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1973054 Title: containerd regression for CVE-2022-23648 in latest version 1.5.9-0ubuntu1~20.04.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1973054/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1973054] Re: containerd regression for CVE-2022-23648 in latest version 1.5.9-0ubuntu1~20.04.1
** Changed in: containerd (Ubuntu) Assignee: (unassigned) => Paulo Flabiano Smorigo (pfsmorigo) ** Changed in: containerd (Ubuntu Focal) Assignee: (unassigned) => Paulo Flabiano Smorigo (pfsmorigo) ** Changed in: containerd (Ubuntu Impish) Assignee: (unassigned) => Paulo Flabiano Smorigo (pfsmorigo) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1973054 Title: containerd regression for CVE-2022-23648 in latest version 1.5.9-0ubuntu1~20.04.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1973054/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1973054] Re: containerd regression for CVE-2022-23648 in latest version 1.5.9-0ubuntu1~20.04.1
** Description changed: Hi, CVE-2022-23648 allows leaking files on the host inside containers given an attacker crafted image if you use containerd's CRI implementation (e.g. Kubernetes). Ubuntu fixed this in `1.5.5-0ubuntu3~20.04.2` on focal, as noted in [this security advisory](https://ubuntu.com/security/CVE-2022-23648) on March 2nd. However, the latest package version for focal is `1.5.9-0ubuntu1~20.04.1`, published on [April 27th](https://www.ubuntuupdates.org/package/core/focal/main/updates/containerd), and I just reproduced the vulnerability on this version. Upstream containerd fixed this issue in 1.5.10. This also exists on the latest official Ubuntu EKS AMI (us-west-2 is `ami-05146f3491fd02c4b` for EKS 1.21). I think most folks on EKS might not be vulnerable unless they specify kubelet to use containerd's CRI rather than the default dockershim, but the package itself is still vulnerable given the right kubelet configuration. I reproduced the bug with the following steps: 1. Build the POC docker image with the following `Dockerfile`: ``` FROM debian:latest VOLUME /../../../../../../../../var/lib/kubelet/pki``` then tag it as `cve-2022-23648-test:1` and push to a registry of your choice 2. Launch the AMI we're testing (`ami-05146f3491fd02c4b` from May 6th), then ssh into node 3. To trick containerd into running, give it a dummy CNI (this is because I'm too lazy to spin up a full EKS cluster) ```cat
[Bug 1973054] Re: containerd regression for CVE-2022-23648 in latest version 1.5.9-0ubuntu1~20.04.1
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1973054 Title: containerd regression for CVE-2022-23648 in latest version 1.5.9-0ubuntu1~20.04.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/containerd/+bug/1973054/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs