CVE-2021-21334 Overview
CVE-2021-21334 is an information disclosure vulnerability in containerd, an industry-standard container runtime. The vulnerability affects containerd's Container Runtime Interface (CRI) implementation, where containers launched through the CRI service that share the same image may receive incorrect environment variables, including values defined for other containers. This flaw can lead to unintentional sharing of sensitive information between containers with different security contexts.
Critical Impact
Containers sharing the same image may leak sensitive environment variables (credentials, API keys, secrets) to other containers, potentially compromising multi-tenant Kubernetes deployments.
Affected Products
- Linux Foundation containerd versions prior to 1.3.10
- Linux Foundation containerd versions 1.4.x prior to 1.4.4
- Fedora Project Fedora 33 and 34
Discovery Timeline
- 2021-03-10 - CVE-2021-21334 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-21334
Vulnerability Analysis
This vulnerability exists in containerd's CRI implementation used by Kubernetes, crictl, and other container clients that utilize the containerd CRI service. The flaw occurs when multiple containers are launched from the same container image in rapid succession. Due to a race condition in how environment variables are handled during container creation, containers may inadvertently receive environment variables intended for other containers.
The vulnerability specifically affects the container creation process within the CRI layer. When containers with different security contexts share the same base image and are started in quick succession, the environment variable isolation mechanism fails to properly segregate the configuration intended for each container. This can result in sensitive information such as database credentials, API keys, authentication tokens, and other secrets being exposed to unintended containers.
Root Cause
The root cause of CVE-2021-21334 is improper resource isolation (CWE-668: Exposure of Resource to Wrong Sphere) in the CRI container creation workflow. The environment variable assignment logic contained a race condition that allowed environment configurations to bleed between containers when they were instantiated from the same image within a short time window. The patch introduced proper isolation boundaries to ensure each container's environment variables are correctly scoped during the creation process.
Attack Vector
The vulnerability is exploitable over the network in scenarios where an attacker can influence container scheduling on a shared Kubernetes cluster. The attack requires the following conditions:
- Multiple containers launched through containerd's CRI implementation
- Containers sharing the same base image
- Different environment variables configured for different containers
- Rapid succession of container launches
An attacker with the ability to schedule pods on a Kubernetes cluster could potentially craft malicious pods to intercept environment variables from other tenants' containers, leading to credential theft or information disclosure.
# Release notes from containerd v1.4.4 patch
# Source: https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e
# commit to be tagged for new release
commit = "HEAD"
project_name = "containerd"
github_repo = "containerd/containerd"
match_deps = "^github.com/(containerd/[a-zA-Z0-9-]+)$"
# previous release
previous = "v1.4.3"
pre_release = false
preface = """\
The fourth patch release for `containerd` 1.4 contains a fix for CVE-2021-21334
along with various other minor issues.
See [GHSA-36xw-fx78-c5r4](https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4)
for more details related to CVE-2021-21334.
### Notable Updates
* **Fix container create in CRI to prevent possible environment variable leak between containers** [#1628](https://github.com/containerd/cri/pull/1628)
* **Update shim server to return grpc NotFound error** [#4872](https://github.com/containerd/containerd/pull/4872)
* **Add bounds on max `oom_score_adj` value for shim's AdjustOOMScore** [#4874](https://github.com/containerd/containerd/pull/4874)
* **Update task manager to use fresh context when calling shim shutdown** [#4929](https://github.com/containerd/containerd/pull/4929)
* **Update Docker resolver to avoid possible concurrent map access panic** [#4941](https://github.com/containerd/containerd/pull/4941)
* **Update shim's log file open flags to avoid containerd hang on syscall open** [#4971](https://github.com/containerd/containerd/pull/4971)
* **Fix incorrect usage calculation** [#5019](https://github.com/containerd/containerd/pull/5019)
"""
Source: GitHub Commit 05f951a
Detection Methods for CVE-2021-21334
Indicators of Compromise
- Unexpected environment variables appearing in container logs or process listings
- Containers accessing credentials or secrets they should not have access to
- Anomalous authentication attempts using credentials belonging to other services
- Cross-container data access patterns in multi-tenant environments
Detection Strategies
- Monitor container environment variable configurations for unexpected values using Kubernetes admission controllers
- Implement audit logging for all container creation events through the CRI interface
- Use SentinelOne Singularity™ for Cloud to detect anomalous container behavior and environment variable leakage
- Deploy runtime security monitoring to identify containers accessing resources outside their intended scope
Monitoring Recommendations
- Enable containerd debug logging to capture detailed container creation events
- Implement secret rotation policies to limit exposure window if leakage occurs
- Monitor Kubernetes audit logs for rapid container creation patterns from the same image
- Configure alerting for containers accessing secrets or credentials outside their namespace
How to Mitigate CVE-2021-21334
Immediate Actions Required
- Upgrade containerd to version 1.3.10 or 1.4.4 immediately
- Audit all containers for potential environment variable leakage
- Rotate any secrets that may have been exposed in affected environments
- Review Kubernetes pod scheduling to identify potentially affected workloads
Patch Information
The containerd project has released patched versions that address this vulnerability. Users should upgrade to containerd version 1.3.10 or 1.4.4 depending on their current version branch. The fix is documented in GitHub Security Advisory GHSA-6g2q-w5j3-fwh4 and implemented in commit 05f951a. Fedora users should apply updates from the Fedora Package Announcements.
Workarounds
- Avoid launching multiple containers from the same image with different environment variables in rapid succession
- Use Kubernetes secrets mounted as files instead of environment variables for sensitive data
- Implement network segmentation to limit blast radius if credential leakage occurs
- Consider using unique images per security context to eliminate the shared image attack vector
# Verify containerd version and upgrade if necessary
containerd --version
# For systems using apt (Debian/Ubuntu)
sudo apt update
sudo apt install containerd.io
# For systems using yum (RHEL/CentOS/Fedora)
sudo dnf update containerd
# Verify the patched version is installed
containerd --version
# Expected: containerd containerd.io 1.4.4 or 1.3.10+
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
