The runC community recently discovered the vulnerability CVE-2024-21626. Attackers can exploit this vulnerability to escape from containers, and then access the host file system or run external binaries. For more information about CVE-2024-21626, see GHSA-xr7r-f8xq-vfvv. We recommend that you fix this vulnerability at the earliest opportunity.
Affected versions
The following runC version are affected:
RunC versions between 1.1.0-rc93 and 1.1.11.
This vulnerability is fixed in the following runC versions:
1.1.12.
The following Container Service for Kubernetes (ACK) clusters are affected:
ACK clusters that use containerd 1.5.13 and 1.6.20. Other versions do not have this vulnerability.
You can check the runtime and its version on the basic information page of a node pool.
Newly added nodes in ACK clusters are not affected.
ACK clusters that use the Docker runtime are not affected.
Solutions
If you use the preceding ACK clusters, pay close attention to Release notes for containerd and update the runtimes of your ACK clusters to a patched version. For more information, see Node pool updates.
Use the ACKAllowedRepos policy described in the Configure and enforce ACK pod security policies topic to deploy images pulled only from trusted repositories. In addition, follow the least privilege principle. Make sure that only trusted users have permissions to import images.
Use the features described in the Sign container images and Use kritis-validation-hook to automatically verify the signatures of container images topics to ensure the security and integrity of container images.
If you use an ACK Edge cluster, refer to Fix vulnerability CVE-2024-21626.