Our new release contains fixes for CVE-2022-23648, a moderate CVE for containerd. We recommend everyone to upgrade their clusters to the latest patch version available. Please see our documentation on how to upgrade your cluster.
CVE Details
This is the announcement from containerd/containerd on Github.
Impact
A bug was found in containerd where containers launched through containerd’s CRI implementation with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.
Patches
This bug has been fixed in containerd 1.6.1, 1.5.10 and 1.4.13. Users should update to these versions to resolve the issue.
Workarounds
Ensure that only trusted images are used.
Release notes
The following CVEs are patched:
Please see our release notes for the full change log.
You can upgrade to one of the following AME Kubernetes releases:
- v1.23.4-u-ame.0
- v1.22.7-u-ame.0
- v1.22.7-ame.0
- v1.21.10-u-ame.0
- v1.21.10-ame.0