Security Release - Containerd CVE-2022-23648

Posted March 4, 2022 by Thomas Kooi ‐ 1 min read

kubernetes Avisi Managed Environment security

We have released a new security release for AME Kubernetes to address a CVE in containerd.

Our new release contains fixes for CVE-2022-23648, a moderate CVE for containerd. We recommend everyone to upgrade their clusters to the latest patch version available. Please see our documentation on how to upgrade your cluster.

CVE Details

This is the announcement from containerd/containerd on Github.

Impact

A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.

Patches

This bug has been fixed in containerd 1.6.1, 1.5.10 and 1.4.13. Users should update to these versions to resolve the issue.

Workarounds

Ensure that only trusted images are used.

Release notes

The following CVEs are patched:

Please see our release notes for the full change log.

You can upgrade to one of the following AME Kubernetes releases:

  • v1.23.4-u-ame.0
  • v1.22.7-u-ame.0
  • v1.22.7-ame.0
  • v1.21.10-u-ame.0
  • v1.21.10-ame.0