Headline
GHSA-g5p6-327m-3fxx: Talos Linux ships runc vulnerable to the escape to the host attack
Impact
Snyk has discovered a vulnerability in all versions of runc <=1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes. Exploitation of this issue can result in container escape to the underlying host OS, either through executing a malicious image or building an image using a malicious Dockerfile or upstream image (i.e., when using FROM). This issue has been assigned the CVE-2024-21626.
Patches
runc runtime was updated to 1.1.12 in Talos v1.5.6 and v1.6.4.
Workarounds
Inspect the workloads running on the cluster to make sure they are not trying to exploit the vulnerability.
References
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-g5p6-327m-3fxx
Talos Linux ships runc vulnerable to the escape to the host attack
High severity GitHub Reviewed Published Feb 2, 2024 in siderolabs/talos • Updated Feb 2, 2024
Package
gomod github.com/siderolabs/talos (Go)
Affected versions
>= 1.6.0, < 1.6.4
< 1.5.6
Patched versions
1.6.4
1.5.6
Impact
Snyk has discovered a vulnerability in all versions of runc <=1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes. Exploitation of this issue can result in container escape to the underlying host OS, either through executing a malicious image or building an image using a malicious Dockerfile or upstream image (i.e., when using FROM). This issue has been assigned the CVE-2024-21626.
Patches
runc runtime was updated to 1.1.12 in Talos v1.5.6 and v1.6.4.
Workarounds
Inspect the workloads running on the cluster to make sure they are not trying to exploit the vulnerability.
References
- CVE-2024-21626
- Vulnerability: runc process.cwd and leaked fds container breakout
References
- GHSA-g5p6-327m-3fxx
Published to the GitHub Advisory Database
Feb 2, 2024