Medium: containerd, docker

2021-11-1715:38:00

alas.aws.amazon.com

5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

48.1%

JSON

Issue Overview:

In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 and versions of containerd prior to 1.4.12 and 1.5.8 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image. (CVE-2021-41190)

Affected Packages:

containerd, docker

Issue Correction:
Run yum update containerd to update your system.
Run yum update docker to update your system.

New Packages:

src:  
    containerd-1.4.6-7.11.amzn1.src  
    docker-20.10.7-5.76.amzn1.src  
  
x86_64:  
    containerd-stress-1.4.6-7.11.amzn1.x86_64  
    containerd-1.4.6-7.11.amzn1.x86_64  
    containerd-debuginfo-1.4.6-7.11.amzn1.x86_64  
    docker-20.10.7-5.76.amzn1.x86_64  
    docker-debuginfo-20.10.7-5.76.amzn1.x86_64

Additional References

Red Hat: CVE-2021-41190

Mitre: CVE-2021-41190

OSVersionArchitecturePackageVersionFilename
Amazon Linux1x86_64containerd-stress< 1.4.6-7.11.amzn1containerd-stress-1.4.6-7.11.amzn1.x86_64.rpm
Amazon Linux1x86_64containerd< 1.4.6-7.11.amzn1containerd-1.4.6-7.11.amzn1.x86_64.rpm
Amazon Linux1x86_64containerd-debuginfo< 1.4.6-7.11.amzn1containerd-debuginfo-1.4.6-7.11.amzn1.x86_64.rpm
Amazon Linux1x86_64docker< 20.10.7-5.76.amzn1docker-20.10.7-5.76.amzn1.x86_64.rpm
Amazon Linux1x86_64docker-debuginfo< 20.10.7-5.76.amzn1docker-debuginfo-20.10.7-5.76.amzn1.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	1	x86_64	containerd-stress	< 1.4.6-7.11.amzn1	containerd-stress-1.4.6-7.11.amzn1.x86_64.rpm
Amazon Linux	1	x86_64	containerd	< 1.4.6-7.11.amzn1	containerd-1.4.6-7.11.amzn1.x86_64.rpm
Amazon Linux	1	x86_64	containerd-debuginfo	< 1.4.6-7.11.amzn1	containerd-debuginfo-1.4.6-7.11.amzn1.x86_64.rpm
Amazon Linux	1	x86_64	docker	< 20.10.7-5.76.amzn1	docker-20.10.7-5.76.amzn1.x86_64.rpm
Amazon Linux	1	x86_64	docker-debuginfo	< 20.10.7-5.76.amzn1	docker-debuginfo-20.10.7-5.76.amzn1.x86_64.rpm