Kubernetes Security Release - CVE-2024-21626
On january 31th Snyk found a CVE (CVE-2024-21626: Leaky Vessels) in Runc which allows attackers to escape containers to the underlying host OS. This vulnerability exists in all runc versions prior to 1.1.11.
We have released new Security Releases for Avisi Cloud Kubernetes, which contain patches of runc to 1.1.12. We recommend all our customers to upgrade their clusters to the latest patch version available to them as soon as possible. Please see our documentation on how to upgrade your cluster.
Affected Versions
This affects the following Avisi Cloud Kubernetes versions:
- Avisi Cloud Kubernetes v1.29.1-u-ame.6
- Avisi Cloud Kubernetes v1.28.6-u-ame.6
- Avisi Cloud Kubernetes v1.27.10-u-ame.6
- Any Avisi Cloud Kubernetes before v1.26
Fixed Versions
- Avisi Cloud Kubernetes v1.29.1-u-ame.9
- Avisi Cloud Kubernetes v1.28.6-u-ame.9
- Avisi Cloud Kubernetes v1.27.10-u-ame.9
Runtime detection methods
As mentioned in Snyk's blog post on this CVE, Helios has built an eBPF-based runtime detection tool for this vulnerablity.
This tool can identify a running container attempting to exercise this vulnerability on underlying infrastructure, placing the underlying host at risk. Note that this tool cannot prevent the exploitation of this vulnerability, only warn of exposure.
See Snyk's blog post for instructions on how to use this tool.
Additional CVE's in Leaky Vessels
In addition, three other CVE's have been reported that concern BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). Docker has also released patches for runc, BuildKit, Moby and Docker Desktop.
Links
Release notes
Please see our release notes for the full changelog.