CVE-2023-27561 and CVE-2023-28642 - Container Service for Kubernetes

The runc community recently discovered vulnerabilities CVE-2023-27561 and CVE-2023-28642, which are rated as medium severity.

CVE-2023-27561: The libcontainer package has incorrect access control configurations that lead to privilege escalation. Attackers that can use custom images to create containers with custom volume mounting permissions can exploit the vulnerability to gain privileges on the hosts. This vulnerability is a regression of CVE-2019-19921.
CVE-2023-28642: When the /proc path of a container is mounted with a symbolic link by using specific mounting configurations, attackers can bypass the limits of AppArmor and SELinux. The patch for this vulnerability is included in the patch for CVE-2023-27561.

Scope of impact

The following runc versions are affected by CVE-2023-27561:
- ≥ 1.0.0-rc95
- < 1.1.5
runc versions earlier than 1.1.5 are affected by CVE-2023-28642.

CVE-2023-27561 and CVE-2023-28642 are fixed in open source runc 1.1.5.

You can use the following methods to mitigate the impact of the vulnerabilities:

Enable the ACKAllowedRepos policy provided by the policy governance feature of Container Service for Kubernetes (ACK) to ensure that only trusted images are used. In addition, follow the principle of least privilege and grant only trusted users the permissions to import images. For more information, see Configure and enforce ACK pod security policies.
Manually update runc to the latest version. For more information about the release notes of runc, see runc 1.1.5 release notes.