Bug 1183397 (CVE-2021-21334) - VUL-0: CVE-2021-21334: containerd: potential information leak through environment variables
Summary: VUL-0: CVE-2021-21334: containerd: potential information leak through environ...
Status: RESOLVED FIXED
Alias: CVE-2021-21334
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Containers Team
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/279560/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-21334:6.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-11 15:03 UTC by Robert Frohl
Modified: 2024-05-23 07:02 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-03-11 15:03:57 UTC 
CVE-2021-21334

In containerd (an industry-standard container runtime) before versions 1.3.10
and 1.4.4, containers launched through containerd's CRI implementation (through
Kubernetes, crictl, or any other pod/container client that uses the containerd
CRI service) that share the same image may receive incorrect environment
variables, including values that are defined for other containers. If the
affected containers have different security contexts, this may allow sensitive
information to be unintentionally shared. If you are not using containerd's CRI
implementation (through one of the mechanisms described above), you are not
vulnerable to this issue. If you are not launching multiple containers or
Kubernetes pods from the same image which have different environment variables,
you are not vulnerable to this issue. If you are not launching multiple
containers or Kubernetes pods from the same image in rapid succession, you have
reduced likelihood of being vulnerable to this issue This vulnerability has been
fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these
versions.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21334
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21334
https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e
https://github.com/containerd/containerd/releases/tag/v1.3.10
https://github.com/containerd/containerd/releases/tag/v1.4.4
https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4
Comment 1 Robert Frohl 2021-03-11 15:07:51 UTC 
tracking as affected:

- SUSE:SLE-12:Update/containerd
- SUSE:SLE-15:Update/containerd
- openSUSE:Factory/containerd
Comment 2 Swamp Workflow Management 2021-04-30 16:21:10 UTC 
SUSE-SU-2021:1458-1: An update that solves 9 vulnerabilities and has 23 fixes is now available.

Category: security (important)
Bug References: 1028638,1034053,1048046,1051429,1053532,1095817,1118897,1118898,1118899,1121967,1131314,1131553,1149954,1152308,1160452,1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183397,1183855,1184768,1184962
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-16884,CVE-2019-19921,CVE-2019-5736,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.4.4-16.38.1, docker-20.10.6_ce-98.66.1, runc-1.0.0~rc93-16.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 Aleksa Sarai 2024-05-23 07:02:49 UTC 
Fixed in 2021.