ALAS2023-2025-1304

Amazon Linux 2023 Security Advisory: ALAS2023-2025-1304
Advisory Released Date: 2025-12-08
Advisory Updated Date: 2025-12-08

Severity: Medium

References: CVE-2024-25621 CVE-2025-64329
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode. (CVE-2024-25621)

containerd is an open-source container runtime. Versions 1.7.28 and below, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4, and 2.2.0-beta.0 through 2.2.0-rc.1 contain a bug in the CRI Attach implementation where a user can exhaust memory on the host due to goroutine leaks. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. To workaround this vulnerability, users can set up an admission controller to control accesses to pods/attach resources. (CVE-2025-64329)

Affected Packages:

containerd

Issue Correction:
Run dnf update containerd --releasever 2023.9.20251208 or dnf update --advisory ALAS2023-2025-1304 --releasever 2023.9.20251208 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation

New Packages:

aarch64:
    containerd-debuginfo-2.1.5-1.amzn2023.0.1.aarch64
    containerd-stress-debuginfo-2.1.5-1.amzn2023.0.1.aarch64
    containerd-stress-2.1.5-1.amzn2023.0.1.aarch64
    containerd-2.1.5-1.amzn2023.0.1.aarch64
    containerd-debugsource-2.1.5-1.amzn2023.0.1.aarch64

src:
    containerd-2.1.5-1.amzn2023.0.1.src

x86_64:
    containerd-debuginfo-2.1.5-1.amzn2023.0.1.x86_64
    containerd-stress-debuginfo-2.1.5-1.amzn2023.0.1.x86_64
    containerd-stress-2.1.5-1.amzn2023.0.1.x86_64
    containerd-2.1.5-1.amzn2023.0.1.x86_64
    containerd-debugsource-2.1.5-1.amzn2023.0.1.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2024-25621, CVE-2025-64329

Mitre: CVE-2024-25621, CVE-2025-64329