Vulnerability CVE-2021-21334

Vulnerability Name:

CVE-2021-21334 (CCN-198079)

Assigned:

2020-12-22

Published:

2021-03-05

Updated:

2022-06-03

Summary:

In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.

CVSS v3 Severity:

6.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)
5.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-668

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2021-21334

Source: XF
Type: UNKNOWN
containerd-cve202121334-info-disc(198079)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/containerd/containerd/releases/tag/v1.3.10

Source: MISC
Type: Release Notes, Third Party Advisory
https://github.com/containerd/containerd/releases/tag/v1.4.4

Source: CCN
Type: containerd GIT Repository
containerd CRI plugin: environment variables can leak between containers

Source: CONFIRM
Type: Third Party Advisory
https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-470fa24f5b

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-10ce8fcbf1

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-f049305892

Source: GENTOO
Type: Third Party Advisory
GLSA-202105-33

Source: CCN
Type: IBM Security Bulletin 6602259 (MQ Operator CD release)
IBM MQ Operator and Queue manager container images are vulnerable to an issue in OPM and Golang Go packages (CVE-2020-15257, CVE-2021-21334 and CVE-2021-41771)

Source: CCN
Type: IBM Security Bulletin 6999559 (Edge Application Manager)
IBM Edge Application Manager 4.5 addresses multiple security vulnerabilities

Vulnerable Configuration:

Configuration 1:

cpe:/a:linuxfoundation:containerd:*:*:*:*:*:*:*:* (Version >= 1.4.0 and < 1.4.4)

OR cpe:/a:linuxfoundation:containerd:*:*:*:*:*:*:*:* (Version < 1.3.10)

Configuration 2:

cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:linuxfoundation:containerd:1.4.0:-:*:*:*:*:*:*

OR cpe:/a:linuxfoundation:containerd:1.4.1:*:*:*:*:*:*:*

OR cpe:/a:linuxfoundation:containerd:1.3.9:*:*:*:*:*:*:*

OR cpe:/a:linuxfoundation:containerd:1.4.2:*:*:*:*:*:*:*

OR cpe:/a:linuxfoundation:containerd:1.4.3:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7850	P	containerd-1.6.19-150000.87.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:95287	P	Security update for permissions (Important)	2022-08-03
oval:org.opensuse.security:def:3794	P	Security update for the Linux Kernel (Important)	2022-07-21
oval:org.opensuse.security:def:3801	P	sysvinit-tools-2.88+-101.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3242	P	libpython3_4m1_0-3.4.6-25.29.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94872	P	containerd-1.4.12-150000.65.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94710	P	libsoup-2_4-1-2.74.2-150400.1.6 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:6056	P	Security update for kernel-firmware (Moderate)	2022-05-25
oval:org.opensuse.security:def:102000	P	Security update for the Linux Kernel (Live Patch 3 for SLE 15 SP3) (Critical)	2022-02-16
oval:org.opensuse.security:def:99478	P	(Important)	2022-01-25
oval:org.opensuse.security:def:112096	P	containerd-1.4.8-2.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105636	P	containerd-1.4.8-2.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:99677	P	(Low)	2021-09-07
oval:org.opensuse.security:def:99985	P	(Moderate)	2021-08-23
oval:org.opensuse.security:def:111579	P	Security update for containerd, docker, runc (Important)	2021-07-10
oval:org.opensuse.security:def:111437	P	Security update for containerd, docker, runc (Important)	2021-06-16
oval:org.opensuse.security:def:76213	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:100294	P	(Important)	2021-06-11
oval:org.opensuse.security:def:8977	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:93232	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:97064	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:91943	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:66828	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:42090	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:10100	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:103019	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:99088	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:92727	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:69868	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:93961	P	(Important)	2021-06-11
oval:org.opensuse.security:def:100623	P	(Important)	2021-06-11
oval:org.opensuse.security:def:9346	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:92138	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:117603	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:67145	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:93411	P	(Important)	2021-06-11
oval:org.opensuse.security:def:10279	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:99646	P	(Important)	2021-06-11
oval:org.opensuse.security:def:8603	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:99279	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:108089	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:92926	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:70240	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:94172	P	(Important)	2021-06-11
oval:org.opensuse.security:def:64883	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:101678	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:9529	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:101423	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:92329	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:69486	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:93568	P	(Important)	2021-06-11
oval:org.opensuse.security:def:75896	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:99959	P	(Important)	2021-06-11
oval:org.opensuse.security:def:8782	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:108666	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:93079	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:70419	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:94384	P	(Important)	2021-06-11
oval:org.opensuse.security:def:64890	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:9728	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:5739	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:98893	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:92528	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:69669	P	Security update for containerd, docker, runc (Important)	2021-06-11
oval:org.opensuse.security:def:93746	P	(Important)	2021-06-11
oval:org.opensuse.security:def:20650	P	Security update for containerd, docker, runc (Important)	2021-04-30
oval:org.opensuse.security:def:49121	P	Security update for containerd, docker, runc (Important)	2021-04-30

BACK