All Products
Search

This Product

    Container Service for Kubernetes:Fix vulnerability CVE-2024-21626 for ACK Edge clusters

    Document Center

    Container Service for Kubernetes:Fix vulnerability CVE-2024-21626 for ACK Edge clusters

    Last Updated:Aug 05, 2024

    The runC community recently discovered the vulnerability CVE-2024-21626. Attackers can exploit this vulnerability to escape from containers, and then access the host file system or run external binaries. For more information about CVE-2024-21626, see GHSA-xr7r-f8xq-vfvv. We recommend that you fix this vulnerability at the earliest opportunity.

    Affected versions

    ACK Edge clusters that run Kubernetes versions 1.20, 1.22, 1.24, or 1.26 and use containerd 1.5.13 or 1.6.20 are affected.

    You can go to the Node Pools page, click the ID of a node pool, and then click the Overview tab to view the runtime and its version.

    Note

    • Newly added nodes in ACK clusters are not affected.

    • ACK clusters that use the Docker runtime are not affected.

    Solution

    Use the script

    You must run the following script on the affected nodes to fix the vulnerability.

    Important

    To ensure cluster and application stability, run the script on the affected nodes in batches. Do not run the script on all nodes at a time.

    • Nodes connected to ACK over the Internet

      wget -qr https://ack-edge-cn.oss-rg-china-mainland.aliyuncs.com/runc-edge-cve.sh -O /tmp/runc-cve.sh && bash /tmp/runc-cve.sh

    • Nodes connected to ACK through Express Connect circuits

      Specify the region of your ACK cluster in the command. 

      export REGION=cn-hangzhou; wget -qr "https://aliacs-k8s-${REGION}.oss-${REGION}-internal.aliyuncs.com/public/pkg/edge/runc-edge-cve-internal.sh" -O /tmp/runc-cve.sh && bash /tmp/runc-cve.sh

    Expected output

    • The following output indicates that the CVE vulnerability does not exist in the environment. You can ignore the output. 

      runc version is low, no cve, is safe

    • The following output indicates that the CVE vulnerability is found in the environment and fixed. This means that all nodes in the node pool may have this vulnerability. Run the script on the nodes in batches and observe the status of your businesses. 

      cve is fixed...ok

    Version information

    Run the following command to query the version of runc after the fix:

    runc --version | grep commit | awk -F "-g" '{print $2}'

    Expected output:

    390c7001
    Note

    • The script used to fix the vulnerability does not change or upgrade the runc version.

    • This version of runc is maintained by ACK, and is affected by the open source version, whose vulnerabilities are fixed.

    Rollback

    If the patching does not meet your requirements, you can run the following command on nodes to roll back runc to the previous version. 

    runc_path=$(command -v runc)
cp -f ${runc_path}_bak ${runc_path}

    References

    Vulnerability CVE-2024-21626