CVE-2020-15257
published 2020-12-01CVE-2020-15257: containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the…
PriorityP429medium5.2CVSS 3.1
AVLACLPRLUINSCCLILAN
EPSS
3.24%
86.7th percentile
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| containerd | containerd | < 1.3.9 | 1.3.9 |
| containerd | containerd | — | — |
| containerd | containerd | >= 0 < 1.4.3~ds1-1 | 1.4.3~ds1-1 |
| containerd | containerd | >= 0 < 1.4.3~ds1-1 | 1.4.3~ds1-1 |
| containerd | containerd | >= 0 < 1.4.3~ds1-1 | 1.4.3~ds1-1 |
| containerd | containerd | >= 0 < 1.4.3~ds1-1 | 1.4.3~ds1-1 |
| debian | containerd | < containerd 1.4.3~ds1-1 (bookworm) | containerd 1.4.3~ds1-1 (bookworm) |
| debian | debian_linux | — | — |
| debian | docker.io | < containerd 1.4.3~ds1-1 (bookworm) | containerd 1.4.3~ds1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| github.com | containerd_containerd | >= 0 < 1.3.9 | 1.3.9 |
| github.com | containerd_containerd | >= 1.4.0 < 1.4.3 | 1.4.3 |
| linuxfoundation | containerd | < 1.3.9 | 1.3.9 |
| linuxfoundation | containerd | >= 1.4.0 < 1.4.3 | 1.4.3 |
CVSS provenance
nvdv3.15.2MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
nvdv2.03.6LOWAV:L/AC:L/Au:N/C:P/I:P/A:N
osv5.2MEDIUM
vendor_debian5.2MEDIUM
vendor_redhat5.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
containerd-shim API Exposed to Host Network Containers in github.com/containerd/containerd
osv·2024-08-21
CVE-2020-15257 containerd-shim API Exposed to Host Network Containers in github.com/containerd/containerd
containerd-shim API Exposed to Host Network Containers in github.com/containerd/containerd
containerd-shim API Exposed to Host Network Containers in github.com/containerd/containerd
GHSA
containerd-shim API Exposed to Host Network Containers
ghsa·2021-05-24
CVE-2020-15257 [MEDIUM] CWE-669 containerd-shim API Exposed to Host Network Containers
containerd-shim API Exposed to Host Network Containers
## Impact
Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges.
### Specific Go Packages Affected
github.com/containerd/containerd/cmd
## Patches
This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running
OSV
containerd-shim API Exposed to Host Network Containers
osv·2021-05-24
CVE-2020-15257 [MEDIUM] containerd-shim API Exposed to Host Network Containers
containerd-shim API Exposed to Host Network Containers
## Impact
Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges.
### Specific Go Packages Affected
github.com/containerd/containerd/cmd
## Patches
This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running
OSV
CVE-2020-15257: containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows
osv·2020-12-01·CVSS 5.2
CVE-2020-15257 [MEDIUM] CVE-2020-15257: containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an o
Ubuntu
containerd vulnerability
vendor_ubuntu·2021-01-13
CVE-2020-15257 containerd vulnerability
Title: containerd vulnerability
Summary: containerd could be made to crash or run programs as an administrator.
USN-4653-1 fixed a vulnerability in containerd. Unfortunately, those containerd packages introduced a regression in docker.io and the update was reverted. This update addresses the docker.io issue and reintroduces the fixes from USN-4653-1. We apologize for the inconvenience.
Instructions: After a standard system update you need to restart containerd to make
all the necessary changes.
Red Hat
containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation
vendor_redhat·2020-11-30·CVSS 5.2
CVE-2020-15257 [MEDIUM] CWE-269 containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation
containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to
Ubuntu
containerd vulnerability
vendor_ubuntu·2020-11-30
CVE-2020-15257 containerd vulnerability
Title: containerd vulnerability
Summary: containerd could be made to crash or run programs as an administrator.
It was discovered that access controls for the shim’s API socket did not
restrict access to the abstract unix domain socket in some cases. An attacker
could use this vulnerability to run containers with elevated privileges.
Instructions: After a standard system update you need to restart containerd to make
all the necessary changes.
Debian
CVE-2020-15257: containerd - containerd is an industry-standard container runtime and is available as a daemo...
vendor_debian·2020·CVSS 5.2
CVE-2020-15257 [MEDIUM] CVE-2020-15257: containerd - containerd is an industry-standard container runtime and is available as a daemo...
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an o
No detection rules found.
No public exploits indexed.
arXiv
KubeFence: Security Hardening of the Kubernetes Attack Surface
arxiv_fulltext·2025-04-15
KubeFence: Security Hardening of the Kubernetes Attack Surface
: Security Hardening of the
Kubernetes Attack Surface
Carmine Cesarano, Roberto Natella
Universit\`a degli Studi di Napoli Federico II, Italy
\carmine.cesarano2, roberto.natella\@unina.it
## Abstract
Kubernetes (K8s) is widely used to orchestrate containerized applications, including critical services in domains such as finance, healthcare, and government. However, its extensive and feature-rich API interface exposes a broad attack surface, making K8s vulnerable to exploits of software vulnerabilities and misconfigurations. Even if K8s adopts role-based access control (RBAC) to manage access to K8s APIs, this approach lacks the granularity needed to protect specification attributes within API requests.
This paper proposes a novel solution, , which implements finer-grain API filtering t
arXiv
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
arxiv_fulltext·2024-07-31
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Raveen Kanishka Jayalath*
University of Adelaide, Australia
[email protected]
Hussain Ahmad* *Authors contributed equally to this work. Corresponding author.
University of Adelaide, Australia
[email protected]
Diksha Goel
CSIRO's Data61, Australia
[email protected]
3cmMuhammad Shuja Syed
3cmSLB, USA
[email protected]
Faheem Ullah
University of Adelaide, Australia
[email protected]
plain
## Abstract
Microservice architectures are revolutionizing both small businesses and large corporations, igniting a new era of innovation with their exceptional advantages in maintainability, reusability, and scalability. However, these benefits come w
https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469adhttps://github.com/containerd/containerd/releases/tag/v1.4.3https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/https://security.gentoo.org/glsa/202105-33https://www.debian.org/security/2021/dsa-4865https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469adhttps://github.com/containerd/containerd/releases/tag/v1.4.3https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/https://security.gentoo.org/glsa/202105-33https://www.debian.org/security/2021/dsa-4865
2020-12-01
Published