Bug 1193273 - (CVE-2021-41190) VUL-1: CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion
(CVE-2021-41190)
VUL-1: CVE-2021-41190: opencontainers: OCI manifest and index parsing confusion
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.2
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/315195/
CVSSv3.1:SUSE:CVE-2021-41190:5.0:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-01 09:09 UTC by Robert Frohl
Modified: 2023-01-27 14:26 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-12-01 09:09:41 UTC
rh#2024938

n the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image.

References:

https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
https://github.com/containerd/containerd/releases/tag/v1.4.12
https://github.com/containerd/containerd/releases/tag/v1.5.8
https://github.com/moby/moby/releases/tag/v20.10.11

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2024938
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41190
http://seclists.org/oss-sec/2021/q4/123
https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41190
https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
Comment 1 Swamp Workflow Management 2021-12-04 17:16:15 UTC
openSUSE-SU-2021:1525-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1193273
CVE References: CVE-2021-41190
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    singularity-3.8.5-bp153.2.10.1
Comment 4 Swamp Workflow Management 2022-01-27 17:20:34 UTC
SUSE-SU-2022:0213-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1191015,1191121,1191334,1191434,1193273
CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.4.12-16.49.1, docker-20.10.12_ce-98.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-02-04 14:23:44 UTC
openSUSE-SU-2022:0334-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1191015,1191121,1191334,1191434,1193273
CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1, docker-kubic-20.10.12_ce-159.1
Comment 6 Swamp Workflow Management 2022-02-04 14:26:28 UTC
SUSE-SU-2022:0334-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1191015,1191121,1191334,1191434,1193273
CVE References: CVE-2021-41089,CVE-2021-41091,CVE-2021-41092,CVE-2021-41103,CVE-2021-41190
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1
SUSE Linux Enterprise Micro 5.1 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1
SUSE Linux Enterprise Micro 5.0 (src):    containerd-1.4.12-60.1, docker-20.10.12_ce-159.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-03-04 08:27:56 UTC
SUSE-SU-2022:23018-1: An update that solves 7 vulnerabilities, contains one feature and has one errata is now available.

Category: security (moderate)
Bug References: 1176804,1177598,1181640,1182998,1188520,1188914,1193166,1193273
CVE References: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602,CVE-2021-4024,CVE-2021-41190
JIRA References: SLE-22714
Sources used:
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    conmon-2.0.30-150300.8.3.1, podman-3.4.4-150300.9.3.2
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1
SUSE Linux Enterprise Micro 5.1 (src):    conmon-2.0.30-150300.8.3.1, libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1, podman-3.4.4-150300.9.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-03-04 11:25:22 UTC
openSUSE-SU-2022:23018-1: An update that solves 7 vulnerabilities, contains one feature and has one errata is now available.

Category: security (moderate)
Bug References: 1176804,1177598,1181640,1182998,1188520,1188914,1193166,1193273
CVE References: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602,CVE-2021-4024,CVE-2021-41190
JIRA References: SLE-22714
Sources used:
openSUSE Leap 15.3 (src):    conmon-2.0.30-150300.8.3.1, libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1, podman-3.4.4-150300.9.3.2
Comment 13 Swamp Workflow Management 2022-05-03 19:23:54 UTC
SUSE-SU-2022:1507-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1192814,1193273,1193930,1196441,1197284,1197517
CVE References: CVE-2021-41190,CVE-2021-43565,CVE-2022-23648,CVE-2022-24769,CVE-2022-27191
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.5.11-16.57.1, docker-20.10.14_ce-98.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2023-01-27 14:26:08 UTC
SUSE-SU-2023:0187-1: An update that solves 6 vulnerabilities, contains one feature and has one errata is now available.

Category: security (important)
Bug References: 1181640,1181961,1193166,1193273,1197672,1199790,1202809
CVE References: CVE-2021-20199,CVE-2021-20206,CVE-2021-4024,CVE-2021-41190,CVE-2022-27649,CVE-2022-2989
JIRA References: PED-2771
Sources used:
openSUSE Leap Micro 5.3 (src):    podman-4.3.1-150400.4.11.1
openSUSE Leap 15.4 (src):    podman-4.3.1-150400.4.11.1
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    podman-4.3.1-150400.4.11.1
SUSE Linux Enterprise Micro 5.3 (src):    podman-4.3.1-150400.4.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.