Vulnerability CVE-2021-41103 was recently disclosed by the containerd community. This vulnerability is related to the containerd runtime. If the permissions on container root directories and system components are not limited, unprivileged Linux users can traverse the entire container file system and execute programs. This topic describes the impacts, affected containerd versions, and fixes for this vulnerability.

CVE-2021-41103 is rated as medium severity and its Common Vulnerability Scoring System (CVSS) score is 5.9.

Affected containerd versions

The following containerd versions are affected:
  • <v1.4.11
  • <v1.5.7
This vulnerability is fixed in the following containerd versions:
  • v1.14.11
  • v1.5.7

For more information about this vulnerability, see CVE-2021-41103.

Impacts

If a multi-tenant cluster has executable programs with extended permission bits (such as setuid), unprivileged Linux users may discover and execute these programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host can discover, read, and modify these files.

Mitigation

  1. Allow only trusted users to access cluster nodes. Do not grant access permissions to untrusted users.
  2. Remove unnecessary extended permissions on container bundles directories.