CVE-2021-43816: 
containerd vulnerability analysis and mitigation

A security vulnerability (CVE-2021-43816) was discovered in containerd, affecting versions 1.5.0 through 1.5.9. The vulnerability allows an unprivileged pod to bind mount any privileged regular file on disk for complete read/write access through hostPath volume when using SELinux (GitHub Advisory).

The vulnerability exists in containerd's CRI (Container Runtime Interface) implementation on Linux systems using the SELinux security module. Through specially-configured bind mounts in a hostPath volume, containers can cause arbitrary files and directories on the host to be relabeled to match the container process label. This relabeling effectively grants the container full read/write access over the affected files and directories (GitHub Advisory). The vulnerability has been assigned a High severity rating.

When exploited, this vulnerability allows containers to elevate their permissions, gaining full read/write access over affected files and directories on the host system. This impacts systems using containerd's CRI implementation through Kubernetes or crictl, potentially compromising the host system's security (GitHub Advisory).

The vulnerability has been fixed in containerd version 1.5.9. Users should update to this version as soon as possible and validate that all files on their host are correctly labeled. As a workaround, administrators can ensure that no sensitive files or directories are used as hostPath volume source locations and implement Kubernetes Pod Security Policy AllowedHostPaths to limit the files and directories that can be bind-mounted to containers (GitHub Advisory).