The containerd community discovered the vulnerability CVE-2022-23648, which allows read access to files on the host. Attackers can exploit this vulnerability to deploy malicious images with specific configurations and bypass policy-based enforcement, such as pod security policies, to retrieve sensitive information from the host.
CVE-2022-23648 is rated as medium severity.
Affected versions
The following containerd versions are affected:
- ≤ v1.4.12
- v1.5.0~v1.5.9
- v1.6.0
This vulnerability is fixed in the following Kubernetes versions:
- v1.4.13
- v1.5.10
- v1.6.1
Note Nodes in node pools that use the containerd runtime are affected by this vulnerability.
For more information about this vulnerability, see CVE-2022-23648.
Mitigation
- Perform the following steps to update the containerd version of the existing cluster
nodes:
- Run the
kubectl drain
command to drain the node that you need to update. - Run the
systemctl stop kubelet
command to stop kubelet on the node. - Run the
systemctl stop containerd
command to stop containerd on the node. - Install the latest RPM package of containerd.
- Run the
systemctl start containerd
command to start containerd. - Run the
systemctl start kubelet
command to start kubelet. - After you update the containerd version for the node, run the
kubectl uncordon
command to change the node to the Schedulable state. - If you want to update the containerd version of other nodes, repeat the preceding steps.
- Run the
- Fixes:
- Revoke the permissions to deploy applications from untrusted users.
- Use the Policy Governance feature based on the Open Policy Agent (OPA) policy engine to prevent users from deploying untrusted images in clusters. For more information, see Configure and enforce ACK pod security policies