Amazon Linux AMI : containerd, docker (ALAS-2021-1551)

medium Nessus Plugin ID 155607

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

The version of containerd installed on the remote host is prior to 1.4.6-7.11. The version of docker installed on the remote host is prior to 20.10.7-5.76. It is, therefore, affected by a vulnerability as referenced in the ALAS-2021-1551 advisory.

- The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both manifests? and layers? fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content- Type header and reject an ambiguous document that contains both manifests? and layers? fields or manifests? and config? fields if they are unable to update to version 1.0.1 of the spec.
(CVE-2021-41190)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update containerd' to update your system.
Run 'yum update docker' to update your system.

See Also

https://alas.aws.amazon.com/ALAS-2021-1551.html

https://access.redhat.com/security/cve/CVE-2021-41190

Plugin Details

Severity: Medium

ID: 155607

File Name: ala_ALAS-2021-1551.nasl

Version: 1.3

Type: local

Agent: unix

Published: 11/18/2021

Updated: 11/23/2021

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent

Risk Information

CVSS Score Source: CVE-2021-41190

VPR

Risk Factor: Low

Score: 2.4

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:containerd, p-cpe:/a:amazon:linux:containerd-debuginfo, p-cpe:/a:amazon:linux:containerd-stress, p-cpe:/a:amazon:linux:docker, p-cpe:/a:amazon:linux:docker-debuginfo, cpe:/o:amazon:linux

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 11/17/2021

Vulnerability Publication Date: 11/17/2021

Reference Information

CVE: CVE-2021-41190

ALAS: 2021-1551