Skip to content

CVE-2024-21626 Runc

This document (000021363) is provided subject to the disclaimer at the end of this document.

Situation

Upstream information from NIST

The Problem:

  • runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

For more on this CVE, check out this GitHub advisory from OpenContainers:

  • https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv

Resolution

The solution:

This CVE has been patched in runc versions >=1.1.12:

  • https://github.com/opencontainers/runc/releases/tag/v1.1.12

Patched RKE, RKE2, K3s, and Rancher versions:

You can also upgrade to Rancher 2.8.2 as it includes the patches for CVE-2024-21626, as mentioned in the release notes, specifically under Security Fixes:

  • https://github.com/rancher/rancher/releases/tag/v2.8.2

For RKE users, the releases for patched Kubernetes versions include:

  • =v1.5.5

  • =v1.4.14

For RKE2 users, the patched Kubernetes versions include:

  • =v1.26.13+rke2r1

  • =v1.27.10+rke2r1

  • =v1.28.6+rke2r1

  • =v1.29.1+rke2r1

For K3s users, the patched Kubernetes versions include:

  • =v1.26.13+k3s2

  • =v1.27.10+k3s2

  • =v1.28.6+k3s2

  • =v1.29.1+k3s2

For users of Embedded K3s (Used when running rancher/rancher in a single Docker container(install) - Not recommended for production use)

  • There will be a future release including the necessary patches (TBD)
  • Please note that this does NOT affect Rancher itself, only if you have spun up an instance of Rancher in a single Docker container
  • For reference

For Air-Gapped users:

  • There will be a future release specifically for these environments so they can benefit from the KDM (Kontainer driver metadata) upgrades (TDB)
  • For more information on what KDM is, please review this GitHub repo:
  • https://github.com/rancher/kontainer-driver-metadata

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.