CVE-2021-41190: Clarify Content-Type handling in OCI spec
First published: Wed Nov 17 2021(Updated: )
In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image. References: <a href="https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42">https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42</a> <a href="https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m">https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m</a> <a href="https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh">https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh</a> <a href="https://github.com/containerd/containerd/releases/tag/v1.4.12">https://github.com/containerd/containerd/releases/tag/v1.4.12</a> <a href="https://github.com/containerd/containerd/releases/tag/v1.5.8">https://github.com/containerd/containerd/releases/tag/v1.5.8</a> <a href="https://github.com/moby/moby/releases/tag/v20.10.11">https://github.com/moby/moby/releases/tag/v20.10.11</a> <a href="https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35">https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35</a>
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/cri-o | <0:1.23.0-92.rhaos4.10.gitdaab4d1.el7 | 0:1.23.0-92.rhaos4.10.gitdaab4d1.el7 |
| Linuxfoundation Open Container Initiative Distribution Specification | <=1.0.0 | |
| Linuxfoundation Open Container Initiative Image Format Specification | <=1.0.1 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| redhat/opencontainers/image-spec | <1.0.1 | 1.0.1 |
| <=1.0.0 | ||
| <=1.0.1 | ||
| =34 | ||
| =35 |
Remedy
https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-41190 https://nvd.nist.gov/vuln/detail/CVE-2021-41190 https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42 https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
- https://bugzilla.redhat.com/show_bug.cgi?id=2024938
- https://access.redhat.com/errata/RHSA-2022:0687
- https://access.redhat.com/errata/RHSA-2022:4956
- https://access.redhat.com/errata/RHSA-2022:7457
- https://access.redhat.com/errata/RHSA-2022:1734
- https://access.redhat.com/errata/RHSA-2022:0055
- https://access.redhat.com/errata/RHSA-2022:5069
- https://access.redhat.com/errata/RHSA-2022:4880
- https://access.redhat.com/errata/RHSA-2022:4668
- https://access.redhat.com/security/cve/cve-2021-41190
- http://www.openwall.com/lists/oss-security/2021/11/19/10
- https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923
- https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/
- https://github.com/moby/moby/security/advisories/GHSA-xmmx-7jpf-fx42
- https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
- https://github.com/containerd/containerd/releases/tag/v1.4.12
- https://github.com/containerd/containerd/releases/tag/v1.5.8
- https://github.com/moby/moby/releases/tag/v20.10.11
- https://github.com/containerd/containerd/security/advisories/GHSA-5j5w-g665-5m35
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2024943
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2024941
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2024939
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2024940
- https://github.com/opencontainers/image-spec/commit/693428a734f5bab1a84bd2f990d92ef1111cd60c
- https://github.com/containerd/containerd/commit/26c76a3014e71af5ad2f396ec76e0e0ecc8e25a3
- https://github.com/cri-o/cri-o/pull/5468
- https://github.com/moby/moby/pull/43025/files
- https://github.com/containers/image/commit/7bcf9bc8b6a66de47df5b765ccaf69d0efc27011
- https://access.redhat.com/errata/RHSA-2022:1476
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A2RRFNTMFYKOTRKD37F5ANMCIO3GGJML/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DX63GRWFEI5RVMYV6XLMCG4OHPWZML27/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SQBCYJUIM5GVCMFUPRWKRZNXMMI5EFA4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T4OJ764CKKCWCVONHD4YXTGR7HZ7LRUV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3TUZNDAH2B26VPBK342UC3BHZNLBUXGX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RZTO6N55WHKHIZI4IMLY2QFBPMVTAERM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4334HT7AZPLWNYHW4ARU6JBUF3VZJPZN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YIGVQWOA5XXCQXEOOKZX4CDAGLBDRPRX/
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-41190
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/title
- agent/description
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/tags
- agent/event
- agent/trending
- package-manager/redhat
- vendor/linuxfoundation
- canonical/linuxfoundation open container initiative distribution specification
- version/linuxfoundation open container initiative distribution specification/1.0.0
- canonical/linuxfoundation open container initiative image format specification
- version/linuxfoundation open container initiative image format specification/1.0.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35