CVE-2024-21626 Runc
This document (000021363) is provided subject to the disclaimer at the end of this document.
Situation
Upstream information from NIST
The Problem:
- runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
For more on this CVE, check out this GitHub advisory from OpenContainers:
- https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
Resolution
The solution:
This CVE has been patched in runc versions >=1.1.12:
- https://github.com/opencontainers/runc/releases/tag/v1.1.12
Patched RKE, RKE2, K3s, and Rancher versions:
You can also upgrade to Rancher 2.8.2 as it includes the patches for CVE-2024-21626, as mentioned in the release notes, specifically under Security Fixes:
- https://github.com/rancher/rancher/releases/tag/v2.8.2
For RKE users, the releases for patched Kubernetes versions include:
-
=v1.5.5
-
=v1.4.14
For RKE2 users, the patched Kubernetes versions include:
-
=v1.26.13+rke2r1
-
=v1.27.10+rke2r1
-
=v1.28.6+rke2r1
-
=v1.29.1+rke2r1
For K3s users, the patched Kubernetes versions include:
-
=v1.26.13+k3s2
-
=v1.27.10+k3s2
-
=v1.28.6+k3s2
-
=v1.29.1+k3s2
For users of Embedded K3s (Used when running rancher/rancher in a single Docker container(install) - Not recommended for production use)
- There will be a future release including the necessary patches (TBD)
- Please note that this does NOT affect Rancher itself, only if you have spun up an instance of Rancher in a single Docker container
- For reference
For Air-Gapped users:
- There will be a future release specifically for these environments so they can benefit from the KDM (Kontainer driver metadata) upgrades (TDB)
- For more information on what KDM is, please review this GitHub repo:
- https://github.com/rancher/kontainer-driver-metadata
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.