Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-21334

Published: 5 March 2021

In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.

Priority

Medium

Cvss 3 Severity Score

6.3

Score breakdown

Status

Package Release Status
containerd
Launchpad, Ubuntu, Debian 		bionic
Released (1.5.2-0ubuntu1~18.04.2)
focal
Released (1.3.3-0ubuntu2.3)
groovy
Released (1.3.7-0ubuntu3.3)
hirsute
Released (1.4.4-0ubuntu1)
impish
Released (1.4.4-0ubuntu1)
jammy
Released (1.4.4-0ubuntu1)
kinetic
Released (1.4.4-0ubuntu1)
lunar
Released (1.4.4-0ubuntu1)
mantic
Released (1.4.4-0ubuntu1)
trusty Does not exist

upstream
Released (1.3.10,1.4.4~ds1-1)
xenial Needed

Patches:
upstream: https://github.com/containerd/containerd/commit/2d9c8aa4b3f4313982c5c999af57212a1c5d144b
upstream: https://github.com/containerd/containerd/commit/cbcb2f57fbe221986f96b552855eb802f63193de
upstream: https://github.com/containerd/cri/commit/7ea3462fc2d4e550b307cefb282b7408d7d7f997
upstream: https://github.com/containerd/cri/commit/f9bcbb7329a47f34261da2cfafa6bd5f63268437

Severity score breakdown

Parameter Value
Base score 6.3
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Scope Changed
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading