I. Overview

Containerd has officially released a security notice, disclosing a container escape vulnerability (CVE-2020-15257) in Docker. Containerd is a container runtime management component that supports Docker and Kubernetes. It processes abstraction related to containerization and provides APIs to manage container lifecycles. Attackers, under certain circumstances, can access the containerd-shim API to implement Docker container escape.

If you are a Containerd user, check your system and implement timely security hardening.

References:

https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

containerd versions earlier than 1.4.3

containerd versions earlier than 1.3.9

Secure versions:

containerd 1.4.3

containerd 1.3.9

IV. Vulnerability Handling

1. This vulnerability has been fixed in the newly released official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://github.com/containerd/containerd/releases

2. Deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@** to your policy.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.