We are aware of a new vulnerability CVE-2024-21626 (nicknamed Leaky Vessels) [1]. Vulnerable software includes Docker, Buildkit, containerd, runc. Nectar Services like Container Orchestration Engine (Magnum) are impacted.
Impact
A malicious image may be able to break out of its container to the host VM. This can be triggered by running a malicious image, or building a malicious image.
Workaround
As there are a number of attacks and related CVEs (CVE-2024-23652, CVE-2024-23651, and CVE-2024-23653), information here may not be complete depending on your situation. Please evaluate the vulnerability in your environment. There are several links at the end of this article that may be helpful.
In general, you can limit the impact with the following
- Only build images from trust sources
- Only run trusted images
snyk.io has scanned popular images and had no evidence of this being exploited in the wild yet[2]. However, this may change.
Fixes
Please update your software to the following versions
Jake Yip
Summary
We are aware of a new vulnerability CVE-2024-21626 (nicknamed Leaky Vessels) [1]. Vulnerable software includes Docker, Buildkit, containerd, runc. Nectar Services like Container Orchestration Engine (Magnum) are impacted.
Impact
A malicious image may be able to break out of its container to the host VM. This can be triggered by running a malicious image, or building a malicious image.
Workaround
As there are a number of attacks and related CVEs (CVE-2024-23652, CVE-2024-23651, and CVE-2024-23653), information here may not be complete depending on your situation. Please evaluate the vulnerability in your environment. There are several links at the end of this article that may be helpful.
In general, you can limit the impact with the following
- Only build images from trust sources
- Only run trusted images
snyk.io has scanned popular images and had no evidence of this being exploited in the wild yet[2]. However, this may change.
Fixes
Please update your software to the following versions
runc - 1.1.12
containerd - 1.16.28 or 1.17.13
docker - 24.0.9 or 25.0.1
Magnum
Update 22/02/2024:
There are instructions on updating containerd for Magnum at https://support.ehelp.edu.au/a/solutions/articles/6000270733?portalId=6000043010
Links
1: Orginal announcement - https://snyk.io/blog/cve-2024-21626-runc-process-cwd-container-breakout/
2. https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/
3. Docker advisory - https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/
4. runc advisory - https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv