chore(deps): update module github.com/containerd/containerd to v1.7.11 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/containerd/containerd	v1.7.10 -> v1.7.11

GitHub Vulnerability Alerts

GHSA-7ww5-4wqc-m92c

/sys/devices/virtual/powercap accessible by default to containers

Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via sysfs. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel.

By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the PLATYPUS attack, Intel assigned CVE-2020-8694 and CVE-2020-8695, and AMD assigned CVE-2020-12912.

Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel prevents access by non-root users since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios:

• Unless using user namespaces, root inside a container has the same level of privilege as root outside the container, but with a slightly more narrow view of the system
• sysfs is mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPU

While this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments. This is provided by masking /sys/devices/virtual/powercap in the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile.

While sysfs is not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such as CAP_SYS_RAWIO which is not available to containers by default, or perf paranoia level less than 1, which is a non-default kernel tunable.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8694
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8695
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12912
• https://platypusattack.com/
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=949dd0104c496fa7c14991a23c03c62e44637e71
• https://web.eece.maine.edu/~vweaver/projects/rapl/

---

Release Notes

containerd/containerd (github.com/containerd/containerd)

v1.7.11: containerd 1.7.11

Compare Source

Welcome to the v1.7.11 release of containerd!

The eleventh patch release for containerd 1.7 contains various fixes and updates including
one security issue.

Notable Updates

• Fix Windows default path overwrite issue (#​9440)
• Update push to always inherit distribution sources from parent (#​9452)
• Update shim to use net dial for gRPC shim sockets (#​9458)
• Fix otel version incompatibility (#​9483)
• Fix Windows snapshotter blocking snapshot GC on remove failure (#​9482)
• Mask /sys/devices/virtual/powercap path in runtime spec and deny in default apparmor profile (GHSA-7ww5-4wqc-m92c)

Deprecation Warnings

• Emit deprecation warning for AUFS snapshotter (#​9436)
• Emit deprecation warning for v1 runtime (#​9450)
• Emit deprecation warning for deprecated CRI configs (#​9469)
• Emit deprecation warning for CRI v1alpha1 usage (#​9479)
• Emit deprecation warning for CRIU config in CRI (#​9481)

See the changelog for complete list of changes

Please try out the release binaries and report any issues at
https://github.com/containerd/containerd/issues.

Contributors

• Samuel Karp
• Derek McGowan
• Phil Estes
• Bjorn Neergaard
• Danny Canter
• Sebastiaan van Stijn
• ruiwen-zhao
• Akihiro Suda
• Amit Barve
• Charity Kathure
• Maksym Pavlenko
• Milas Bowman
• Paweł Gronowski
• Wei Fu

Changes

39 commits

• [release/1.7] Prepare release notes for v1.7.11 (#​9491)
  • dfae68bc3 Prepare release notes for v1.7.11
• [release/1.7] update to go1.20.12, test go1.21.5 (#​9352)
  • 0d314401d update to go1.20.12, test go1.21.5
  • 1ec1ae2c6 update to go1.20.11, test go1.21.4
• Github Security Advisory GHSA-7ww5-4wqc-m92c
  • cb804da21 contrib/apparmor: deny /sys/devices/virtual/powercap
  • 40162a576 oci/spec: deny /sys/devices/virtual/powercap
• [release/1.7] Don't block snapshot garbage collection on Remove failures (#​9482)
  • ed7c6895b Don't block snapshot garbage collection on Remove failures
• [release/1.7] Add warning for CRIU config usage (#​9481)
  • 1fdefdd22 Add warning for CRIU config usage
• [release/1.7] Fix otel version incompatibility (#​9483)
  • f8f659e66 Add HTTP client update function to tracing library
  • 807ddd658 fix(tracing): use latest version of semconv
• [release/1.7] Add cri-api v1alpha2 usage warning to all api calls (#​9479)
  • dc45bc838 Add cri-api v1alpha2 usage warning to all api calls
• [release/1.7] cri: add deprecation warnings for deprecated CRI configs (#​9469)
  • 9d1bad62e deprecation: fix missing spaces in warnings
  • 51a604c07 cri: add deprecation warning for runtime_root
  • 8040e74bf cri: add deprecation warning for rutnime_engine
  • 99adc40eb cri: add deprecation warning for default_runtime
  • afef7ec64 cri: add warning for untrusted_workload_runtime
  • 6220dc190 cri: add warning for old form of systemd_cgroup
• [release/1.7] runtime/v2: net.Dial gRPC shim sockets before trying grpc (#​9458)
  • 80f96cd18 runtime/v2: net.Dial gRPC shim sockets before trying grpc
• [release/1.7] tasks: emit warning for v1 runtime and runc v1 runtime (#​9450)
  • f471bb2b8 tasks: emit warning for runc v1 runtime
  • 329e1d487 tasks: emit warning for v1 runtime
• [release/1.7] push: always inherit distribution sources from parent (#​9452)
  • 4464fde12 push: always inherit distribution sources from parent
• [release/1.7] Update tar tests to run on Darwin (#​9451)
  • 7e069ee25 Update tar tests to run on Darwin
• [release/1.7] ctr: Add sandbox flag to ctr run (#​9449)
  • 5fc0e4e61 ctr: Add sandbox flag to ctr run
• [release/1.7] Windows default path overwrite fix (#​9440)
  • 31fe03764 Fix windows default path overwrite issue
• [release/1.7] snapshots: emit deprecation warning for aufs (#​9436)
  • 625b35e4b snapshots: emit deprecation warning for aufs

Dependency Changes

• github.com/felixge/httpsnoop v1.0.3 new
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 new

Previous release can be found at v1.7.10

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: renovate[bot]
Once this PR has been reviewed and has the lgtm label, please assign n1hility for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[rhatdan]

Since there are no actual code changes, I am forcing this through.