{ "threat_severity" : "Moderate", "public_date" : "2025-03-17T21:32:37Z", "bugzilla" : { "description" : "containerd: containerd has an integer overflow in User ID handling", "id" : "2353043", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2353043" }, "cvss3" : { "cvss3_base_score" : "4.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "status" : "draft" }, "cwe" : "CWE-190", "details" : [ "containerd is an open-source container runtime. A bug was found in containerd prior to versions 1.6.38, 1.7.27, and 2.0.4 where containers launched with a User set as a `UID:GID` larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This could cause unexpected behavior for environments that require containers to run as a non-root user. This bug has been fixed in containerd 1.6.38, 1.7.27, and 2.04. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images.", "A flaw was found in containerd package. Containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root (UID 0). This issue could cause unexpected behavior for environments that require containers to run as a non-root user." ], "statement" : "For Red Hat OpenShift GitOps and OpenShift Container Platform deployments, image sources are controlled through OpenShift's Image configuration and RBAC policies. Administrators can restrict image imports to trusted registries using allowedRegistriesForImport and registrySources configuration.In typical GitOps deployments, application images are pulled from pre-approved registries configured by platform administrators.", "package_state" : [ { "product_name" : "Assisted Installer for Red Hat OpenShift Container Platform 2", "fix_state" : "Fix deferred", "package_name" : "rhai-tech-preview/assisted-installer-agent-rhel8", "cpe" : "cpe:/a:redhat:assisted_installer:2" }, { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "cert-manager/jetstack-cert-manager-acmesolver-rhel9", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "cert-manager/jetstack-cert-manager-rhel9", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "Deployment Validation Operator", "fix_state" : "Fix deferred", "package_name" : "deployment-validation-operator-container", "cpe" : "cpe:/a:redhat:deployment_validator_operator" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/logging-loki-rhel9", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Migration Toolkit for Virtualization", "fix_state" : "Fix deferred", "package_name" : "migration-toolkit-virtualization/mtv-validation-rhel9", "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2" }, { "product_name" : "Multicluster Engine for Kubernetes", "fix_state" : "Fix deferred", "package_name" : "multicluster-engine/assisted-service-8-rhel8", "cpe" : "cpe:/a:redhat:multicluster_engine" }, { "product_name" : "Multicluster Engine for Kubernetes", "fix_state" : "Fix deferred", "package_name" : "multicluster-engine/assisted-service-9-rhel9", "cpe" : "cpe:/a:redhat:multicluster_engine" }, { "product_name" : "Network Observability Operator", "fix_state" : "Fix deferred", "package_name" : "network-observability/network-observability-cli-rhel9", "cpe" : "cpe:/a:redhat:network_observ_optr:1" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Fix deferred", "package_name" : "jenkins-agent-base-container", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Fix deferred", "package_name" : "ocp-tools-4/jenkins-agent-base-rhel8", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Lightspeed", "fix_state" : "Fix deferred", "package_name" : "openshift-lightspeed-tech-preview/lightspeed-service-api-rhel9", "cpe" : "cpe:/a:redhat:openshift_lightspeed" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "openshift-serverless-1/client-kn-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "openshift-serverless-1-func-utils-rhel8-container", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "openshift-serverless-1/kn-client-cli-artifacts-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "openshift-serverless-1/kn-client-kn-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "openshift-serverless-1/kn-plugin-func-func-util-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "openshift-serverless-1/serverless-ingress-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "openshift-serverless-1/serverless-kn-operator-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "openshift-serverless-1/serverless-must-gather-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Fix deferred", "package_name" : "openshift-serverless-1/serverless-openshift-kn-rhel8-operator", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Service Mesh 3", "fix_state" : "Fix deferred", "package_name" : "openshift-istio-operator-container", "cpe" : "cpe:/a:redhat:service_mesh:3" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "rhacm2/multicloud-integrations-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "rhacm2/multicluster-operators-channel-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "rhacm2/multicluster-operators-subscription-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "rhacm2/prometheus-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Fix deferred", "package_name" : "advanced-cluster-security/rhacs-central-db-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Fix deferred", "package_name" : "advanced-cluster-security/rhacs-main-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Fix deferred", "package_name" : "advanced-cluster-security/rhacs-rhel8-operator", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Fix deferred", "package_name" : "advanced-cluster-security/rhacs-roxctl-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Fix deferred", "package_name" : "advanced-cluster-security/rhacs-scanner-v4-db-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Advanced Cluster Security 4", "fix_state" : "Fix deferred", "package_name" : "advanced-cluster-security/rhacs-scanner-v4-rhel8", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4" }, { "product_name" : "Red Hat Developer Hub", "fix_state" : "Fix deferred", "package_name" : "rhdh-orchestrator-dev-preview-beta/controller-rhel9-operator", "cpe" : "cpe:/a:redhat:rhdh:1" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-ml-pipelines-api-server-v2-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-ml-pipelines-driver-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-ml-pipelines-launcher-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Fix deferred", "package_name" : "rhoai/odh-model-controller-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "kata-containers", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-operator-framework-tools-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "stargz-snapshotter", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Fix deferred", "package_name" : "openshift-gitops-1/argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Fix deferred", "package_name" : "openshift-gitops-1/argocd-rhel9", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat Openshift Sandboxed Containers", "fix_state" : "Fix deferred", "package_name" : "openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9", "cpe" : "cpe:/a:redhat:openshift_sandboxed_containers:1" }, { "product_name" : "Red Hat Openshift Sandboxed Containers", "fix_state" : "Fix deferred", "package_name" : "openshift-sandboxed-containers/osc-cloud-api-adaptor-webhook-rhel9", "cpe" : "cpe:/a:redhat:openshift_sandboxed_containers:1" }, { "product_name" : "Red Hat Openshift Sandboxed Containers", "fix_state" : "Fix deferred", "package_name" : "openshift-sandboxed-containers/osc-podvm-payload-rhel9", "cpe" : "cpe:/a:redhat:openshift_sandboxed_containers:1" }, { "product_name" : "Red Hat Openshift Sandboxed Containers", "fix_state" : "Fix deferred", "package_name" : "osc-podvm-builder-container", "cpe" : "cpe:/a:redhat:openshift_sandboxed_containers:1" }, { "product_name" : "Red Hat OpenShift Virtualization 4", "fix_state" : "Fix deferred", "package_name" : "container-native-virtualization/multus-dynamic-networks-rhel9", "cpe" : "cpe:/a:redhat:container_native_virtualization:4" }, { "product_name" : "Red Hat Trusted Application Pipeline", "fix_state" : "Fix deferred", "package_name" : "rhtap-cli/rhtap-cli-rhel9", "cpe" : "cpe:/a:redhat:trusted_application_pipeline:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-40635\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-40635\nhttps://github.com/containerd/containerd/commit/05044ec0a9a75232cad458027ca83437aae3f4da\nhttps://github.com/containerd/containerd/commit/1a43cb6a1035441f9aca8f5666a9b3ef9e70ab20\nhttps://github.com/containerd/containerd/commit/cf158e884cfe4812a6c371b59e4ea9bc4c46e51a\nhttps://github.com/containerd/containerd/security/advisories/GHSA-265r-hfxg-fhmg" ], "name" : "CVE-2024-40635", "mitigation" : { "value" : "To mitigate this vulnerability, ensure that only trusted images are used and that only trusted users have permissions to import images.\nTo implement the recommended controls in OpenShift:\n1. Restrict allowed registries at the cluster level by configuring image.config.openshift.io/cluster with allowedRegistriesForImport and registrySources.allowedRegistries.\n2. To find out who can pull/import container images into OpenShift for that namespace Based on RBAC permissions: `oc adm policy who-can create imagestreamimports -n `\n3. Enforce image signature verification using sigstore or cluster image signature policies.\n4. For GitOps deployments, use Gatekeeper/OPA policies to enforce that ArgoCD Applications reference only approved registries.", "lang" : "en:us" }, "csaw" : false }