29003 – docker-containerd new security issue CVE-2021-21334

Bug 29003 - docker-containerd new security issue CVE-2021-21334

Summary: docker-containerd new security issue CVE-2021-21334

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-05-29 00:41 CEST by David Walser
Modified:	2021-06-13 23:34 CEST (History)
CC List:	4 users (show)

See Also:
Source RPM:	docker-containerd-1.4.3-2.mga8.src.rpm
CVE:	CVE-2021-21334
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-05-29 00:41:17 CEST

Ubuntu has issued an advisory on March 17:
https://ubuntu.com/security/notices/USN-4881-1

The issue is fixed upstream in 1.3.10 and 1.4.4.

Mageia 7 and Mageia 8 are also affected.

David Walser 2021-05-29 00:41:31 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 1.3.10 and 1.4.4

Bruno Cornec 2021-05-29 11:30:56 CEST

Status: NEW => ASSIGNED

Comment 1 Bruno Cornec 2021-05-29 11:56:34 CEST

1.4.4 pushed into cauldron and for mga7 & mga8 in update_testing

Bruno Cornec 2021-05-29 11:56:48 CEST

Assignee: bruno => qa-bugs

Comment 2 David Walser 2021-05-29 18:33:33 CEST

Fedora has issued an advisory for this on March 15:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/

Thomas Backlund 2021-05-29 18:55:32 CEST

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8

Comment 3 David Walser 2021-05-30 04:59:07 CEST

You didn't update Cauldron (forgot to commit to SVN?).

Also, please leave yourself in CC when assigning to QA.

docker-containerd-1.4.4-1.mga7
docker-containerd-1.4.4-1.mga8

Assignee: qa-bugs => bruno

Comment 4 Bruno Cornec 2021-05-30 11:59:26 CEST

cauldron is now updated, sorry I missed that one.

Wrt leaving myself in Cc: in fact I didn't do anything special here, and generally I receive a copy of the BR when I contribute to it, but on this one the box "Add me to cc: list" wasn't indeed checked. Not sure why I don't have to do it the other times.

Hopefully better now.

Assignee: bruno => qa-bugs
CC: (none) => bruno

David Walser 2021-05-31 01:47:53 CEST

Status comment: Fixed upstream in 1.3.10 and 1.4.4 => (none)

Comment 5 Len Lawrence 2021-06-09 13:01:29 CEST

mga8, x64

$ rpm -q docker-containerd
docker-containerd-1.4.3-2.mga8

Using procedure outlined by Bruno some time ago. Running docker seems like the best way to test the container components.
Added user to docker group - loged out and in.

$ sudo systemctl enable docker
Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service.
$ sudo systemctl start docker
$ sudo systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; vendor pr>
Active: active (running) since Wed 2021-06-09 10:53:20 BST; 7s ago

Started with a clean system:
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
$

Updated docker-containerd and restarted the docker daemon.
$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b8dfde127a29: Pull complete
Digest: sha256:5122f6204b6a3596e048758cabba3c46b1c937a46b5be6225b835d091b90e46c
Status: Downloaded newer image for hello-world:latest
docker: Error response from daemon: cgroups: cgroup mountpoint does not exist: unknown.
ERRO[0003] error waiting for container: context canceled
$ grep cgroup /etc/group
$
This is something new - web searches seem to suggest that "cgroups" have to be mounted inside a container. "Chicken and egg" scenario.
cgroups added and user assigned to cgroups. hello-world still fails.

Where to go from here? /sys/fs seems to be the mount point - inside or outside?
stackoverflow casts doubt on mounting cgroups inside a docker container.
https://stackoverflow.com/questions/32534203/mounting-cgroups-inside-a-docker-container#35928100

The big puzzle is - why does hello-world fail now when it always used to work?
Have I missed a step?

CC: (none) => tarazed25
Keywords: (none) => NEEDHELP

Comment 6 Thomas Backlund 2021-06-09 14:49:48 CEST

What kernel are you using ?

is it 5.10.41 ?

if so, does it work if you boot with the older 5.10.37 ?

Comment 7 David Walser 2021-06-09 15:18:06 CEST

Someone said on libera IRC that they needed to mkdir something under /sys to get docker to work on mga8.  It's already scrolled out of the buffer so I lost it, but I think it was /sys/fs/cgroup/systemd

Comment 8 Len Lawrence 2021-06-09 15:47:18 CEST

@tmb reference comment 6
Using 5.12.8-desktop-1.mga8.  Shall try reverting to kernel 5.10.37.

@david re comment 7
/sys/fs/cgroup exists.  Added /sys/fs/cgroup/systemd.
hello-world still fails so reverting the kernel is the next step.

Comment 9 Len Lawrence 2021-06-09 15:51:11 CEST

@tmb reference comment 6
Using 5.12.8-desktop-1.mga8.  Shall try reverting to kernel 5.10.37.

@david re comment 7
/sys/fs/cgroup exists.  Added /sys/fs/cgroup/systemd.
hello-world still fails so reverting the kernel is the next step.

Comment 10 Len Lawrence 2021-06-09 15:55:15 CEST

OK.  Running kernel 5.10.37.
hello-world fails.
cgroup mountpoint does not exist: unknown

$ ls /sys/fs/cgroup
cgroup.controllers      cgroup.subtree_control  docker/           system.slice/
cgroup.max.depth        cgroup.threads          init.scope/       user.slice/
cgroup.max.descendants  cpuset.cpus.effective   io.stat
cgroup.procs            cpuset.mems.effective   memory.numa_stat
cgroup.stat             cpu.stat                memory.stat

Comment 11 David Walser 2021-06-09 16:11:24 CEST

(In reply to David Walser from comment #7)
> Someone said on libera IRC that they needed to mkdir something under /sys to
> get docker to work on mga8.  It's already scrolled out of the buffer so I
> lost it, but I think it was /sys/fs/cgroup/systemd

Apparently it's in Bugzilla too, Bug 27251.

Comment 12 Len Lawrence 2021-06-09 16:29:50 CEST

$ docker info | grep Server
Server:
 Server Version: 19.03.15

So we need docker 20?
Looking for it.

Comment 13 Thomas Backlund 2021-06-09 16:49:56 CEST

(In reply to Len Lawrence from comment #10)
> OK.  Running kernel 5.10.37.
> hello-world fails.
> cgroup mountpoint does not exist: unknown
> 


ok, "good"...
There is a patch in 5.10.41 (and 5.12.9) that may affect some container setups, so I wanted to rule that one out ...

Comment 14 David Walser 2021-06-09 16:50:45 CEST

Where did you get that from?  Mageia 8 has docker 19.

Comment 15 Thomas Backlund 2021-06-09 17:03:39 CEST

(In reply to David Walser from comment #14)
> Where did you get that from?  Mageia 8 has docker 19.

https://bugs.mageia.org/show_bug.cgi?id=27251

Comment 16 David Walser 2021-06-09 17:11:28 CEST

Ahh, thanks.

Comment 17 Len Lawrence 2021-06-09 17:13:59 CEST

Yay!  Installed latest docker and restarted the daemon.
$ docker run hello-world

Hello from Docker!
This message shows that your installation appears to be working correctly.
.....
$ docker run -ti ubuntu /bin/bash
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
345e3491a907: Pull complete 
57671312ef6f: Pull complete 
5e9250ddb7d0: Pull complete 
Digest: sha256:adf73ca014822ad8237623d388cedf4d5346aa72c270c5acc01431cc93e18e2d
Status: Downloaded newer image for ubuntu:latest
root@7d578ca5fa52:/# dmesg
<all is well>
# exit

$ docker images
REPOSITORY    TAG       IMAGE ID       CREATED        SIZE
ubuntu        latest    7e0aa2d69a15   6 weeks ago    72.7MB
hello-world   latest    d1165f221234   3 months ago   13.3kB
$ docker pull fedora:latest
latest: Pulling from library/fedora
b1495d80d526: Pull complete 
Digest: sha256:f534c437436eb44b7ac73646e642732fc055a75d84f900f07c3bbaa392007810
Status: Downloaded newer image for fedora:latest
docker.io/library/fedora:latest
$ docker run -ti fedora:latest /bin/bash
[root@4f3c585e6007 /]# dnf install ruby ruby-devel 
Fedora 34 openh264 (From Cisco) - x86_64        1.5 kB/s | 2.5 kB     00:01    
Fedora Modular 34 - x86_64                      4.3 MB/s | 4.9 MB     00:01    
Fedora Modular 34 - x86_64 - Updates            2.6 MB/s | 4.2 MB     00:01    
Fedora 34 - x86_64 - Updates                    7.1 MB/s |  15 MB     00:02    
Fedora 34 - x86_64                              9.3 MB/s |  74 MB     00:07    
Dependencies resolved.
================================================================================
 Package                   Arch        Version               Repository    Size
================================================================================
Installing:
 ruby                      x86_64      3.0.1-148.fc34        updates       41 k
 ruby-devel                x86_64      3.0.1-148.fc34        updates      266 k
Installing dependencies:
 dwz                       x86_64      0.14-1.fc34           fedora       129 k
 efi-srpm-macros           noarch      5-2.fc34              fedora        21 k
..................
Transaction Summary
================================================================================
Install  37 Packages

Total download size: 6.2 M
Installed size: 22 M
Is this ok [y/N]: y
Downloading Packages:
(1/37): go-srpm-macros-3.0.10-1.fc34.noarch.rpm 148 kB/s |  25 kB     00:00    
(2/37): python-srpm-macros-3.9-36.fc34.noarch.r 114 kB/s |  21 kB     00:00    
..................
  unzip-6.0-50.fc34.x86_64                                                      
  zip-3.0-28.fc34.x86_64                                                        

Complete!
[root@4f3c585e6007 /]# sudo gem install astro_moon
Fetching astro_moon-0.2.gem
Successfully installed astro_moon-0.2
Parsing documentation for astro_moon-0.2
Installing ri documentation for astro_moon-0.2
Done installing documentation for astro_moon after 0 seconds
1 gem installed
[root@4f3c585e6007 /]# exit
$ docker ps -a
CONTAINER ID   IMAGE           COMMAND       CREATED             STATUS                      PORTS     NAMES
4f3c585e6007   fedora:latest   "/bin/bash"   5 minutes ago       Exited (0) 19 seconds ago             goofy_poincare
7d578ca5fa52   ubuntu          "/bin/bash"   10 minutes ago      Exited (0) 8 minutes ago              zen_mahavira
4f1fce36f56c   hello-world     "/hello"      15 minutes ago      Exited (0) 15 minutes ago             relaxed_ganguly

<lots of hello-world images  ???>

$ docker inspect goofy_poincare
[
    {
        "Id": "4f3c585e600726db78c1829159c1860d6aecf4d839d3ff3652696fff1ff243a6",
        "Created": "2021-06-09T14:40:14.74082071Z",
        "Path": "/bin/bash",
..................

$ docker stop 4f3c585e6007
4f3c585e6007
$ docker restart 4f3c585e6007
4f3c585e6007

Used
$ docker rm <ID>
to clean up.
As far as these basic tests go the containers are working.

Keywords: NEEDHELP => (none)

Comment 18 Len Lawrence 2021-06-09 17:18:24 CEST

So - this is a protocol violation on my part?  i.e. installing the testing version of docker before it has been released to and approved by QA.

Comment 19 David Walser 2021-06-09 17:21:26 CEST

Not really.  You know now that this update is ok, but someone should remind Bruno to push the other bug to QA.

Len Lawrence 2021-06-09 19:02:48 CEST

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 20 Len Lawrence 2021-06-10 12:12:39 CEST

mga8, x64

Starting again.
$ id
uid=1000(lcl) gid=1000(lcl) groups=1000(lcl),955(docker),957(vboxusers)
$ rpm -q docker
docker-19.03.15-1.mga8
$ rpm -qa | grep container
opencontainers-runc-1.0.0-0.rc92.7.dev.gitff819c7.mga8
docker-containerd-1.4.3-2.mga8

Started docker daemon.
$ docker version
Client:
 Version:           19.03.0-dev
Server:
 Engine:
  Version:          19.03.15

Updated docker and docker-containerd.
# ls /sys/fs/cgroup
cgroup.controllers      cgroup.threads         memory.numa_stat
cgroup.max.depth        cpuset.cpus.effective  memory.stat
cgroup.max.descendants  cpuset.mems.effective  system.slice/
cgroup.procs            cpu.stat               user.slice/
cgroup.stat             init.scope/
cgroup.subtree_control  io.stat

Started docker daemon.

$ grep cgroup /etc/group
$ docker version
Client:
 Version:           unknown-version
 API version:       1.41
....
Server:
 Engine:
  Version:          library-import
  API version:      1.41 (minimum version 1.12)

cgroup is not defined as a group, so we can forget that.

$ docker run hello-world
Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
b8dfde127a29: Pull complete 
Digest: sha256:9f6ad537c5132bcce57f7a0a20e317228d382c3cd61edae14650eec68b2b345c
Status: Downloaded newer image for hello-world:latest
Hello from Docker!
This message shows that your installation appears to be working correctly.
$ docker run -it ubuntu bash
....
5e9250ddb7d0: Pull complete 
Digest: sha256:adf73ca014822ad8237623d388cedf4d5346aa72c270c5acc01431cc93e18e2d
Status: Downloaded newer image for ubuntu:latest
root@f23b80b4881b:/# exit

$ docker pull fedora
Using default tag: latest
latest: Pulling from library/fedora
b1495d80d526: Pull complete 
Digest: sha256:f534c437436eb44b7ac73646e642732fc055a75d84f900f07c3bbaa392007810
Status: Downloaded newer image for fedora:latest
docker.io/library/fedora:latest

$ docker run -ti fedora:latest /bin/bash
[root@2d58f04b2fc5 /]# dnf install lua
.........
Installed:
  lua-5.4.3-1.fc34.x86_64                                                       
Complete!
[root@2d58f04b2fc5 /]# lua
Lua 5.4.3  Copyright (C) 1994-2021 Lua.org, PUC-Rio
> print( "Hello and goodbye" )
Hello and goodbye
> 
[root@2d58f04b2fc5 /]# dnf install glmark2
..........................
Installed:
  glmark2-2021.02-1.fc34.x86_64          glmark2-common-2021.02-1.fc34.noarch  
  hwdata-0.348-1.fc34.noarch             libX11-1.7.0-3.fc34.x86_64            
  libX11-common-1.7.0-3.fc34.noarch      libXau-1.0.9-6.fc34.x86_64            
  libdrm-2.4.105-1.fc34.x86_64           libjpeg-turbo-2.0.90-2.fc34.x86_64    
  libpciaccess-0.16-4.fc34.x86_64        libpng-2:1.6.37-10.fc34.x86_64        
  libwayland-client-1.19.0-1.fc34.x86_64 libwayland-cursor-1.19.0-1.fc34.x86_64
  libwayland-egl-1.19.0-1.fc34.x86_64    libwayland-server-1.19.0-1.fc34.x86_64
  libxcb-1.13.1-7.fc34.x86_64            mesa-libgbm-21.1.1-1.fc34.x86_64      
Complete!
[root@2d58f04b2fc5 /]# exit

$ docker ps -a
CONTAINER ID   IMAGE           COMMAND       CREATED          STATUS                        PORTS     NAMES
2d58f04b2fc5   fedora:latest   "/bin/bash"   11 minutes ago   Exited (1) 3 minutes ago                fervent_dubinsky
f23b80b4881b   ubuntu          "bash"        18 minutes ago   Exited (100) 15 minutes ago             wizardly_pascal
818f96f8a1fd   hello-world     "/hello"      20 minutes ago   Exited (0) 20 minutes ago               practical_meninsky

$ docker inspect <NAMES>
works.
Cleaned up using `docker rm <CONTAINER ID>`
$ docker ps -a
CONTAINER ID   IMAGE     COMMAND   CREATED   STATUS    PORTS     NAMES

This all looks pretty sound.  The packages had already been tested at a basic level in bug 29003.

Whiteboard: MGA7TOO MGA8-64-OK => MGA8-64-OK

Comment 21 Bruno Cornec 2021-06-10 14:25:50 CEST

(In reply to David Walser from comment #19)
> Not really.  You know now that this update is ok, but someone should remind
> Bruno to push the other bug to QA.

Thanks for the reminder done. And thanks for the tests.

David Walser 2021-06-10 14:36:53 CEST

Whiteboard: MGA8-64-OK => MGA7TOO MGA8-64-OK

Comment 22 Len Lawrence 2021-06-11 15:41:57 CEST

mga7, x64

Added user to docker group and started the docker daemon.
No problem running hello-world with docker-containerd-1.2.5-2.mga7. /sys/fs/cgroup exists.

Updated the package.
/sys/fs/cgroup exists.  Should have checked for it earlier.  Restarted the daemon.
$ docker version
Client:
 Version:           18.09.0-dev
 API version:       1.39
 Go version:        go1.13.15
 Git commit:        039a7df
 Built:             Sun Nov  1 11:46:39 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.09.9
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       039a7df
  Built:            Sun Nov  1 11:46:02 2020
  OS/Arch:          linux/amd64
  Experimental:     false

$ docker run hello-world
Hello from Docker!
$ docker ps -a
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS                      PORTS               NAMES
a1cd75120aa2        hello-world         "/hello"            3 minutes ago       Exited (0) 3 minutes ago                        flamboyant_kare
2d55b18a95d5        hello-world         "/hello"            12 minutes ago      Exited (0) 12 minutes ago                       dreamy_mestorf
$ docker inspect dreamy_mestorf | grep Network
            "NetworkMode": "default",
        "NetworkSettings": {
            "Networks": {
                    "NetworkID": "a37e183b14c385416029f0c3ad64fdbbc10f2eff52dce652f655b82761cb1891",
$ docker rm 2d55b18a95d5
2d55b18a95d5
$ docker pull fedora
Using default tag: latest
latest: Pulling from library/fedora
b1495d80d526: Pull complete 
Digest: sha256:f534c437436eb44b7ac73646e642732fc055a75d84f900f07c3bbaa392007810
Status: Downloaded newer image for fedora:latest
$ docker run -it ubuntu bash
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
345e3491a907: Pull complete 
57671312ef6f: Pull complete 
5e9250ddb7d0: Pull complete 
Digest: sha256:adf73ca014822ad8237623d388cedf4d5346aa72c270c5acc01431cc93e18e2d
Status: Downloaded newer image for ubuntu:latest
root@7625b3f4849e:/# ls /bin
'['                        getopt             rgrep
 addpart                   gpasswd            rm
...............
root@7625b3f4849e:/# exit
$ docker rm 7625b3f4849e
7625b3f4849e
$ docker pull fedora
Using default tag: latest
latest: Pulling from library/fedora
Digest: sha256:f534c437436eb44b7ac73646e642732fc055a75d84f900f07c3bbaa392007810
Status: Image is up to date for fedora:latest
$ docker run -ti fedora:latest /bin/bash
[root@16ab40ff0df1 /]# dnf install ruby
Fedora 34 openh264 (From Cisco) - x86_64        2.9 kB/s | 2.5 kB     00:00    
[...]
Installed:
  ruby-3.0.1-148.fc34.x86_64                                                    
[...]
Complete!
[root@16ab40ff0df1 /]# gem install astro_moon
Fetching astro_moon-0.2.gem
Successfully installed astro_moon-0.2
Parsing documentation for astro_moon-0.2
Installing ri documentation for astro_moon-0.2
Done installing documentation for astro_moon after 0 seconds
1 gem installed
[root@16ab40ff0df1 /]# dnf install ruby-irb
[...]
Installing:
 rubygem-irb        noarch        1.3.5-148.fc34           updates         73 k
....
[root@16ab40ff0df1 /]# irb
irb(main):001:0> (1..15).reduce( :+ )
=> 120
irb(main):002:0> exit
[root@16ab40ff0df1 /]# exit
exit

Good enough, and validating.

Keywords: (none) => validated_update
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => sysadmin-bugs

Comment 23 Aurelien Oudelet 2021-06-13 21:35:14 CEST

Advisory:
========================

Updated docker-containerd packages fix a security vulnerability:

In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. (CVE-2021-21334).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29003
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21334
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE/
========================

Updated package in 7/core/updates_testing:
========================
docker-containerd-1.4.4-1.mga7

from SRPM:
docker-containerd-1.4.4-1.mga7.src.rpm

Updated package in 8/core/updates_testing:
========================
docker-containerd-1.4.4-1.mga8

from SRPM:
docker-containerd-1.4.4-1.mga8.src.rpm

CC: (none) => ouaurelien
CVE: (none) => CVE-2021-21334
Keywords: (none) => advisory

Comment 24 Mageia Robot 2021-06-13 23:34:34 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0248.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.