发布时间: 2025年3月21日
修改时间: 2025年3月29日
containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.
| NVD | openEuler | |
|---|---|---|
| Confidentiality | High | Low |
| Attack Vector | Local | Local |
| CVSS评分 | 7.8 | 4.6 |
| Attack Complexity | Low | Low |
| Privileges Required | Low | High |
| Scope | Unchanged | Changed |
| Integrity | High | Low |
| User Interaction | None | None |
| Availability | High | None |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2025-2461 | containerd security update | 2025年5月1日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-5A | containerd | Fixed |
| V6 | containerd | Fixed |
| KY3.5.3 | containerd | Fixed |
| KY3.5.2 | containerd | Fixed |
