| Description: | containerd is an open source container runtime. A bug was found in
containerd prior to versions 1.6.18 and 1.5.18 where supplementary
groups are not set up properly inside a container. If an attacker has
direct access to a container and manipulates their supplementary group
access, they may be able to use supplementary group access to bypass
primary group restrictions in some cases, potentially gaining access
to sensitive information or gaining the ability to execute code in
that container. Downstream applications that use the containerd client
library may be affected as well. This bug has been fixed in containerd
v1.6.18 and v.1.5.18. Users should update to these versions and
recreate containers to resolve this issue. Users who rely on a
downstream application that uses containerd's client library should
check that application for a separate advisory and instructions. As a
workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction
is not used. Instead, set the container entrypoint to a value similar
to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up
supplementary groups.
|
