Important: Red Hat Security Advisory: OpenShift Container Platform 4.5.40 security and bug fix update

Red Hat OpenShift Container Platform release 4.5.40 is now available with updates to packages and images that fix several bugs. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed...

RHEL 7 / 8 : OpenShift Container Platform 4.6.30 (RHSA-2021:1566)

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:1566 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private clo...

GHSA-36XW-FX78-C5R4 containerd-shim API Exposed to Host Network Containers

Impact Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID...

Kubernetes Namespaces Are Not as Secure as You Think

In a previous article, we described how the usage of namespaces in Kubernetes significantly simplifies the management of a Kubernetes cluster. However, managing multiple microservices on the same cluster comes with a security cost when not planned correctly. A common misconception around namespac...

[SECURITY] Fedora 33 Update: containerd-1.4.4-1.fc33

Containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Lin ux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervisio...

Fedora 33 : 1:golang-github-containerd-cri (2021-10ce8fcbf1)

The remote Fedora 33 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2021-10ce8fcbf1 advisory. - In containerd an industry-standard container runtime before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation through...

CVE-2021-21334

CVE-2021-21334 affects containerd’s CRI plugin: when multiple containers/pods are launched from the same image, containers may receive incorrect environment variables shared across them, potentially exposing sensitive data. The issue is fixed in containerd versions 1.3.10 and 1.4.4; affected envi...

Debian: Security Advisory (DSA-4865-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] Fedora 33 Update: containerd-1.4.3-1.fc33

Containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Lin ux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervisio...

Oracle Linux 7 : containerd (ELSA-2020-5964)

The remote Oracle Linux 7 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2020-5964 advisory. - Addresses CVE-2020-15257 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory. Note that Nessus has not test...

CVE-2020-15257

containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting...

CVE-2020-15257

containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting...

CVE-2020-15257

containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting...

CVE-2020-15257

The CVE describes a privilege-escalation issue in containerd where access controls on the shim API socket allowed a container in the same network namespace to run new processes with elevated privileges. Affected releases are containerd before 1.3.9 and before 1.4.3; the vulnerability stems from e...

CVE-2020-15257

containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting...

CVE-2020-15257

containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting...

Built-in Runtime Security for Containers

Security teams struggle with visibility into behaviors inside their running containers. Qualys is today announcing general availability of Container Runtime Security CRS to provide industry-leading visibility for running containers using an approach that is container-engine agnostic and layered...

CVE-2020-15157

The CVE-2020-15157 issue affects containerd (pre-1.2.14) where the default resolver would leak credentials when a container image manifest points to a foreign layer. If a manifest directs a layer URL to a attacker‑controlled web server and the image is pulled, credentials used for the registry co...

cri-o: infra container reparented to systemd following OOM Killer killing it's conmon

A flaw was found in cri-o, as a result of all pod-related processes being placed in the same memory cgroup. This can result in container management conmon processes being killed if a workload process triggers an out-of-memory OOM condition for the cgroup. An attacker could abuse this flaw to get...

Debian: Security Advisory (DSA-4716-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...