[Security] CVE-2024-21626 (Leaky Vessels)

Posted 10 months ago by Jake Yip

J
Jake Yip Admin

Summary

We are aware of a new vulnerability CVE-2024-21626 (nicknamed Leaky Vessels) [1]. Vulnerable software includes Docker, Buildkit, containerd, runc. Nectar Services like Container Orchestration Engine (Magnum) are impacted.


Impact

A malicious image may be able to break out of its container to the host VM. This can be triggered by running a malicious image, or building a malicious image.


Workaround

As there are a number of attacks and related CVEs (CVE-2024-23652, CVE-2024-23651, and CVE-2024-23653), information here may not be complete depending on your situation. Please evaluate the vulnerability in your environment. There are several links at the end of this article that may be helpful.


In general, you can limit the impact with the following

- Only build images from trust sources

- Only run trusted images


snyk.io has scanned popular images and had no evidence of this being exploited in the wild yet[2]. However, this may change.


Fixes

Please update your software to the following versions


runc - 1.1.12

containerd - 1.16.28 or 1.17.13

docker - 24.0.9 or 25.0.1


Magnum


Update 22/02/2024:


There are instructions on updating containerd for Magnum at https://support.ehelp.edu.au/a/solutions/articles/6000270733?portalId=6000043010


Links

1: Orginal announcement - https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/


2. https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/


3. Docker advisory - https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/


4. runc advisory - https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv

0 Votes


0 Comments

Login or Sign up to post a comment