A container escape vulnerability (CVE-2024-21626) was discovered in runc. Attackers can exploit this vulnerability to escape from containers, and then access the host file system or run external binaries. Fix this vulnerability as soon as possible.
Affected versions
runc
| Status | Versions |
|---|---|
| Affected | runc 1.1.0-rc93 through 1.1.11 |
| Fixed | runc 1.1.12 |
ACK clusters
Container Service for Kubernetes (ACK) clusters running containerd 1.5.13 or containerd 1.6.20 are affected. Other containerd versions are not vulnerable.
Check the container runtime version on the basic information page of your node pool in the ACK console.
The following are not affected:
-
Newly added nodes in ACK clusters
-
ACK clusters using the Docker runtime
Solutions
Update the container runtime (recommended)
Monitor the containerd release notes and update your ACK cluster runtimes to a patched version. For upgrade steps, see Node pool updates.
Restrict image sources
Use the ACKAllowedRepos policy to allow only images from trusted repositories. For details, see Configure and enforce ACK pod security policies. Follow the least privilege principle and restrict image import permissions to trusted users only.
Verify container image integrity
Sign container images and use kritis-validation-hook to automatically verify image signatures:
ACK edge clusters
For ACK edge clusters, see Fix vulnerability CVE-2024-21626.