The containerd community discovered the vulnerability CVE-2022-23648, which allows read access to files on the host. Attackers can exploit this vulnerability to deploy malicious images with specific configurations and bypass policy-based enforcement, such as pod security policies, to retrieve sensitive information from the host.

CVE-2022-23648 is rated as medium severity.

Affected versions

The following containerd versions are affected:

  • ≤ v1.4.12
  • v1.5.0~v1.5.9
  • v1.6.0

This vulnerability is fixed in the following Kubernetes versions:

  • v1.4.13
  • v1.5.10
  • v1.6.1
Note Nodes in node pools that use the containerd runtime are affected by this vulnerability.

For more information about this vulnerability, see CVE-2022-23648.

Mitigation

  1. Perform the following steps to update the containerd version of the existing cluster nodes:
    1. Run the kubectl drain command to drain the node that you need to update.
    2. Run the systemctl stop kubelet command to stop kubelet on the node.
    3. Run the systemctl stop containerd command to stop containerd on the node.
    4. Install the latest RPM package of containerd.
    5. Run the systemctl start containerd command to start containerd.
    6. Run the systemctl start kubelet command to start kubelet.
    7. After you update the containerd version for the node, run the kubectl uncordon command to change the node to the Schedulable state.
    8. If you want to update the containerd version of other nodes, repeat the preceding steps.
  2. Fixes:
    1. Revoke the permissions to deploy applications from untrusted users.
    2. Use the Policy Governance feature based on the Open Policy Agent (OPA) policy engine to prevent users from deploying untrusted images in clusters. For more information, see Configure and enforce ACK pod security policies