Host containers were run with the same process and mount labels as containers started by the orchestrator agent. This would allow malicious containers to modify files inside a host container, if they had access to those files through host volume mounts and the required permissions.
Our security guidance recommends limiting access to host volume mounts and against running privileged containers.
The Bottlerocket team thanks Stephen Breen of Atredis Partners for reporting this issue.
Host containers were run with the same process and mount labels as containers started by the orchestrator agent. This would allow malicious containers to modify files inside a host container, if they had access to those files through host volume mounts and the required permissions.
Our security guidance recommends limiting access to host volume mounts and against running privileged containers.
The Bottlerocket team thanks Stephen Breen of Atredis Partners for reporting this issue.