Rapid7 Vulnerability & Exploit Database

Huawei EulerOS: CVE-2021-32760: docker-engine security update

Back to Search

Huawei EulerOS: CVE-2021-32760: docker-engine security update

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
07/19/2021
Created
06/18/2022
Added
06/17/2022
Modified
06/17/2022

Description

containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.

Solution(s)

  • huawei-euleros-2_0_sp5-upgrade-docker-engine
  • huawei-euleros-2_0_sp5-upgrade-docker-engine-selinux

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;