Security update for containerd, docker, runc SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2021:1458-1 Final 1 1 2021-04-30T10:58:51Z current 2021-04-30T10:58:51Z 2021-04-30T10:58:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for containerd, docker, runc This update for containerd, docker, runc fixes the following issues: - Docker was updated to 20.10.6-ce * Switch version to use -ce suffix rather than _ce to avoid confusing other tools (bsc#1182476). * CVE-2021-21284: Fixed a potential privilege escalation when the root user in the remapped namespace has access to the host filesystem (bsc#1181732) * CVE-2021-21285: Fixed an issue where pulling a malformed Docker image manifest crashes the dockerd daemon (bsc#1181730). - runc was updated to v1.0.0~rc93 (bsc#1182451 and bsc#1184962). * Use the upstream runc package (bsc#1181641, bsc#1181677, bsc#1175821). * Fixed /dev/null is not available (bsc#1168481). * Fixed an issue where podman hangs when spawned by salt-minion process (bsc#1149954). * CVE-2019-19921: Fixed a race condition with shared mounts (bsc#1160452). * CVE-2019-16884: Fixed an LSM bypass via malicious Docker image that mount over a /proc directory (bsc#1152308). * CVE-2019-5736: Fixed potential write attacks to the host runc binary (bsc#1121967). * Fixed an issue where after a kernel-update docker doesn't run (bsc#1131314 bsc#1131553) * Ensure that we always include the version information in runc (bsc#1053532). - Switch to Go 1.13 for build. * CVE-2018-16873: Fixed a potential remote code execution (bsc#1118897). * CVE-2018-16874: Fixed a directory traversal in 'go get' via curly braces in import paths (bsc#1118898). * CVE-2018-16875: Fixed a CPU denial of service (bsc#1118899). * Fixed an issue with building containers (bsc#1095817). - containerd was updated to v1.4.4 * CVE-2021-21334: Fixed a potential information leak through environment variables (bsc#1183397). * Handle a requirement from docker (bsc#1181594). * Install the containerd-shim* binaries and stop creating (bsc#1183024). * update version to the one required by docker (bsc#1034053) - Use -buildmode=pie for tests and binary build (bsc#1048046, bsc#1051429) - Cleanup seccomp builds similar (bsc#1028638). - Update to handle the docker-runc removal, and drop the -kubic flavour (bsc#1181677, bsc#1181749) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Image SLES12-SP5-Azure-Basic-On-Demand-2021-1458,Image SLES12-SP5-Azure-Standard-On-Demand-2021-1458,Image SLES12-SP5-EC2-ECS-On-Demand-2021-1458,Image SLES12-SP5-EC2-On-Demand-2021-1458,Image SLES12-SP5-GCE-On-Demand-2021-1458,SUSE-2021-1458,SUSE-SLE-Module-Containers-12-2021-1458 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/ Link for SUSE-SU-2021:1458-1 https://lists.suse.com/pipermail/sle-security-updates/2021-April/008717.html E-Mail link for SUSE-SU-2021:1458-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1028638 SUSE Bug 1028638 https://bugzilla.suse.com/1034053 SUSE Bug 1034053 https://bugzilla.suse.com/1048046 SUSE Bug 1048046 https://bugzilla.suse.com/1051429 SUSE Bug 1051429 https://bugzilla.suse.com/1053532 SUSE Bug 1053532 https://bugzilla.suse.com/1095817 SUSE Bug 1095817 https://bugzilla.suse.com/1118897 SUSE Bug 1118897 https://bugzilla.suse.com/1118898 SUSE Bug 1118898 https://bugzilla.suse.com/1118899 SUSE Bug 1118899 https://bugzilla.suse.com/1121967 SUSE Bug 1121967 https://bugzilla.suse.com/1131314 SUSE Bug 1131314 https://bugzilla.suse.com/1131553 SUSE Bug 1131553 https://bugzilla.suse.com/1149954 SUSE Bug 1149954 https://bugzilla.suse.com/1152308 SUSE Bug 1152308 https://bugzilla.suse.com/1160452 SUSE Bug 1160452 https://bugzilla.suse.com/1168481 SUSE Bug 1168481 https://bugzilla.suse.com/1175081 SUSE Bug 1175081 https://bugzilla.suse.com/1175821 SUSE Bug 1175821 https://bugzilla.suse.com/1181594 SUSE Bug 1181594 https://bugzilla.suse.com/1181641 SUSE Bug 1181641 https://bugzilla.suse.com/1181677 SUSE Bug 1181677 https://bugzilla.suse.com/1181730 SUSE Bug 1181730 https://bugzilla.suse.com/1181732 SUSE Bug 1181732 https://bugzilla.suse.com/1181749 SUSE Bug 1181749 https://bugzilla.suse.com/1182451 SUSE Bug 1182451 https://bugzilla.suse.com/1182476 SUSE Bug 1182476 https://bugzilla.suse.com/1182947 SUSE Bug 1182947 https://bugzilla.suse.com/1183024 SUSE Bug 1183024 https://bugzilla.suse.com/1183397 SUSE Bug 1183397 https://bugzilla.suse.com/1183855 SUSE Bug 1183855 https://bugzilla.suse.com/1184768 SUSE Bug 1184768 https://bugzilla.suse.com/1184962 SUSE Bug 1184962 https://www.suse.com/security/cve/CVE-2018-16873/ SUSE CVE CVE-2018-16873 page https://www.suse.com/security/cve/CVE-2018-16874/ SUSE CVE CVE-2018-16874 page https://www.suse.com/security/cve/CVE-2018-16875/ SUSE CVE CVE-2018-16875 page https://www.suse.com/security/cve/CVE-2019-16884/ SUSE CVE CVE-2019-16884 page https://www.suse.com/security/cve/CVE-2019-19921/ SUSE CVE CVE-2019-19921 page https://www.suse.com/security/cve/CVE-2019-5736/ SUSE CVE CVE-2019-5736 page https://www.suse.com/security/cve/CVE-2021-21284/ SUSE CVE CVE-2021-21284 page https://www.suse.com/security/cve/CVE-2021-21285/ SUSE CVE CVE-2021-21285 page https://www.suse.com/security/cve/CVE-2021-21334/ SUSE CVE CVE-2021-21334 page Image SLES12-SP5-Azure-Basic-On-Demand Image SLES12-SP5-Azure-Standard-On-Demand Image SLES12-SP5-EC2-ECS-On-Demand Image SLES12-SP5-EC2-On-Demand Image SLES12-SP5-GCE-On-Demand SUSE Linux Enterprise Module for Containers 12 containerd-1.4.4-16.38.1 docker-20.10.6_ce-98.66.1 runc-1.0.0~rc93-16.8.1 containerd-ctr-1.4.4-16.38.1 docker-bash-completion-20.10.6_ce-98.66.1 docker-fish-completion-20.10.6_ce-98.66.1 docker-kubic-20.10.6_ce-98.66.1 docker-kubic-bash-completion-20.10.6_ce-98.66.1 docker-kubic-fish-completion-20.10.6_ce-98.66.1 docker-kubic-kubeadm-criconfig-20.10.6_ce-98.66.1 docker-kubic-zsh-completion-20.10.6_ce-98.66.1 docker-zsh-completion-20.10.6_ce-98.66.1 containerd-1.4.4-16.38.1 as a component of Image SLES12-SP5-Azure-Basic-On-Demand docker-20.10.6_ce-98.66.1 as a component of Image SLES12-SP5-Azure-Basic-On-Demand runc-1.0.0~rc93-16.8.1 as a component of Image SLES12-SP5-Azure-Basic-On-Demand containerd-1.4.4-16.38.1 as a component of Image SLES12-SP5-Azure-Standard-On-Demand docker-20.10.6_ce-98.66.1 as a component of Image SLES12-SP5-Azure-Standard-On-Demand runc-1.0.0~rc93-16.8.1 as a component of Image SLES12-SP5-Azure-Standard-On-Demand containerd-1.4.4-16.38.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand docker-20.10.6_ce-98.66.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand runc-1.0.0~rc93-16.8.1 as a component of Image SLES12-SP5-EC2-ECS-On-Demand containerd-1.4.4-16.38.1 as a component of Image SLES12-SP5-EC2-On-Demand docker-20.10.6_ce-98.66.1 as a component of Image SLES12-SP5-EC2-On-Demand runc-1.0.0~rc93-16.8.1 as a component of Image SLES12-SP5-EC2-On-Demand containerd-1.4.4-16.38.1 as a component of Image SLES12-SP5-GCE-On-Demand docker-20.10.6_ce-98.66.1 as a component of Image SLES12-SP5-GCE-On-Demand runc-1.0.0~rc93-16.8.1 as a component of Image SLES12-SP5-GCE-On-Demand containerd-1.4.4-16.38.1 as a component of SUSE Linux Enterprise Module for Containers 12 docker-20.10.6_ce-98.66.1 as a component of SUSE Linux Enterprise Module for Containers 12 runc-1.0.0~rc93-16.8.1 as a component of SUSE Linux Enterprise Module for Containers 12 In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u". CVE-2018-16873 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Basic-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Standard-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-ECS-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-GCE-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-GCE-On-Demand:runc-1.0.0~rc93-16.8.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1 SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1 SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/ https://www.suse.com/security/cve/CVE-2018-16873.html CVE-2018-16873 https://bugzilla.suse.com/1118897 SUSE Bug 1118897 https://bugzilla.suse.com/1118898 SUSE Bug 1118898 https://bugzilla.suse.com/1118899 SUSE Bug 1118899 In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. CVE-2018-16874 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Basic-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Standard-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-ECS-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-GCE-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-GCE-On-Demand:runc-1.0.0~rc93-16.8.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1 SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1 SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/ https://www.suse.com/security/cve/CVE-2018-16874.html CVE-2018-16874 https://bugzilla.suse.com/1118897 SUSE Bug 1118897 https://bugzilla.suse.com/1118898 SUSE Bug 1118898 https://bugzilla.suse.com/1118899 SUSE Bug 1118899 The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. CVE-2018-16875 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Basic-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Standard-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-ECS-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-GCE-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-GCE-On-Demand:runc-1.0.0~rc93-16.8.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1 SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1 SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/ https://www.suse.com/security/cve/CVE-2018-16875.html CVE-2018-16875 https://bugzilla.suse.com/1118897 SUSE Bug 1118897 https://bugzilla.suse.com/1118898 SUSE Bug 1118898 https://bugzilla.suse.com/1118899 SUSE Bug 1118899 runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory. CVE-2019-16884 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Basic-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Standard-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-ECS-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-GCE-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-GCE-On-Demand:runc-1.0.0~rc93-16.8.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1 SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1 SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N 5.3 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/ https://www.suse.com/security/cve/CVE-2019-16884.html CVE-2019-16884 https://bugzilla.suse.com/1152308 SUSE Bug 1152308 runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.) CVE-2019-19921 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Basic-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Standard-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-ECS-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-GCE-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-GCE-On-Demand:runc-1.0.0~rc93-16.8.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1 SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1 SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P 7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/ https://www.suse.com/security/cve/CVE-2019-19921.html CVE-2019-19921 https://bugzilla.suse.com/1160452 SUSE Bug 1160452 https://bugzilla.suse.com/1208962 SUSE Bug 1208962 runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. CVE-2019-5736 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Basic-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Standard-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-ECS-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-GCE-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-GCE-On-Demand:runc-1.0.0~rc93-16.8.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1 SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1 SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1 moderate 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/ https://www.suse.com/security/cve/CVE-2019-5736.html CVE-2019-5736 https://bugzilla.suse.com/1121967 SUSE Bug 1121967 https://bugzilla.suse.com/1122185 SUSE Bug 1122185 https://bugzilla.suse.com/1173421 SUSE Bug 1173421 https://bugzilla.suse.com/1218894 SUSE Bug 1218894 In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the --userns-remap option in which access to remapped root allows privilege escalation to real root. When using "--userns-remap", if the root user in the remapped namespace has access to the host filesystem they can modify files under "/var/lib/docker/<remapping>" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user. CVE-2021-21284 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Basic-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Standard-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-ECS-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-GCE-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-GCE-On-Demand:runc-1.0.0~rc93-16.8.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1 SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1 SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1 low 2.7 AV:A/AC:L/Au:S/C:N/I:P/A:N 2.5 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/ https://www.suse.com/security/cve/CVE-2021-21284.html CVE-2021-21284 https://bugzilla.suse.com/1181732 SUSE Bug 1181732 In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing. CVE-2021-21285 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Basic-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Standard-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-ECS-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-GCE-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-GCE-On-Demand:runc-1.0.0~rc93-16.8.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1 SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1 SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 5 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/ https://www.suse.com/security/cve/CVE-2021-21285.html CVE-2021-21285 https://bugzilla.suse.com/1181730 SUSE Bug 1181730 In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions. CVE-2021-21334 Image SLES12-SP5-Azure-Basic-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Basic-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Basic-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-Azure-Standard-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-Azure-Standard-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-Azure-Standard-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-ECS-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-ECS-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-ECS-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-EC2-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-EC2-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-EC2-On-Demand:runc-1.0.0~rc93-16.8.1 Image SLES12-SP5-GCE-On-Demand:containerd-1.4.4-16.38.1 Image SLES12-SP5-GCE-On-Demand:docker-20.10.6_ce-98.66.1 Image SLES12-SP5-GCE-On-Demand:runc-1.0.0~rc93-16.8.1 SUSE Linux Enterprise Module for Containers 12:containerd-1.4.4-16.38.1 SUSE Linux Enterprise Module for Containers 12:docker-20.10.6_ce-98.66.1 SUSE Linux Enterprise Module for Containers 12:runc-1.0.0~rc93-16.8.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 6.3 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2021/suse-su-20211458-1/ https://www.suse.com/security/cve/CVE-2021-21334.html CVE-2021-21334 https://bugzilla.suse.com/1183397 SUSE Bug 1183397