Security Advisory

Statement on the runc Breakout Vulnerability (CVE-2024-21626) in Alibaba Cloud Products

Updated on: Thursday, February 1, 2024

Alibaba Cloud has taken notice of the runc breakout vulnerability (CVE-2024-21626) and took immediate mitigation actions. We will closely follow up on this vulnerability to ensure the security of our cloud products.

We strongly recommend that you keep your runc applications and systems updated by manually installing the latest versions or using their auto update feature.


Affected products and mitigation progress:

Container Service for Kubernetes (ACK)
Affected ACK products include Container Service for Kubernetes(ACK), ACK Serverless, Distributed Cloud Container Platform for Kubernetes (ACK One), and ACK Lingjun.

- Affected clusters: Clusters running the containerd runtime versions 1.5.13 or 1.6.20.
● Clusters running other versions of containerd are not affected.
● Clusters that use the Docker runtime are not affected.
● Newly created clusters, as well as nodes added to existing of clusters, are not affected, because they run the most recent version of containerd by default.

- Mitigation progress:
● Managed node pools of existing clusters will be automatically updated during your configured maintenance window. For more information about managed node pools, see "Overview of managed node pools" .
● If your cluster doesn't use managed node pools, you need to update your containerd runtime to the latest version. For more information, see "Node pool updates" and "Containerd release note".

For information about announcements and updates of vulnerabilities in ACK, see "Security bulletins".


Elastic Container Instance (ECI)
ECI has been updated to fix this vulnerability. This update automatically applies to ECIs created through the standard procedure.


Notification
We have been following up on the vulnerability and will inform our users upon any updates through announcements. If you need further details or assistance, contact customer service.

Reference
Github: https://github.com/opencontainers/runc/releases
Overview of managed node pools: https://www.alibabacloud.com/help/en/ack/ack-managed-and-ack-dedicated/user-guide/overview-of-managed-node-pools
Node pool updates: https://www.alibabacloud.com/help/en/ack/ack-managed-and-ack-dedicated/user-guide/node-pool-updates
Security bulletins: https://www.alibabacloud.com/help/en/ack/product-overview/security-bulletins/
Containerd release note: https://www.alibabacloud.com/help/en/ack/product-overview/release-notes-for-containerd