We have released a new security release for Avisi Cloud Kubernetes

Kubernetes Security Release - CVE-2024-21626

On january 31th Snyk found a CVE (CVE-2024-21626: Leaky Vessels) in Runc which allows attackers to escape containers to the underlying host OS. This vulnerability exists in all runc versions prior to 1.1.11.

We have released new Security Releases for Avisi Cloud Kubernetes, which contain patches of runc to 1.1.12. We recommend all our customers to upgrade their clusters to the latest patch version available to them as soon as possible. Please see our documentation on how to upgrade your cluster.

Affected Versions

This affects the following Avisi Cloud Kubernetes versions:

• Avisi Cloud Kubernetes <= v1.29.1-u-ame.6
• Avisi Cloud Kubernetes <= v1.28.6-u-ame.6
• Avisi Cloud Kubernetes <= v1.27.10-u-ame.6
• Any Avisi Cloud Kubernetes before v1.26

Fixed Versions

• Avisi Cloud Kubernetes v1.29.1-u-ame.9
• Avisi Cloud Kubernetes v1.28.6-u-ame.9
• Avisi Cloud Kubernetes v1.27.10-u-ame.9

Runtime detection methods

As mentioned in Snyk’s blog post on this CVE, Helios has built an eBPF-based runtime detection tool for this vulnerablity.

This tool can identify a running container attempting to exercise this vulnerability on underlying infrastructure, placing the underlying host at risk. Note that this tool cannot prevent the exploitation of this vulnerability, only warn of exposure.

See Snyk’s blog post for instructions on how to use this tool.

Additional CVE’s in Leaky Vessels

In addition, three other CVE’s have been reported that concern BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). Docker has also released patches for runc, BuildKit, Moby and Docker Desktop.

Links

• Runc’s security advisory
• Snyk blog post
• Docker blog post

Release notes

Please see our release notes for the full changelog.