{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-016.pdf"
    },
    "title": "High Vulnerability in the runc package",
    "serial_number": "2024-016",
    "publish_date": "06-02-2024 20:24:54",
    "description": "A critical vulnerability has been identified in all versions of runc package up to and including 1.1.11, affecting Docker, Kubernetes, and other containerisation technologies. This vulnerability, tracked as \"CVE-2024-21626\" with a CVSS score of 8.6, enables attackers to escape containers and potentially gain unauthorised access to the host operating system.<br>\n",
    "url_title": "2024-016",
    "content_markdown": "---\ntitle: 'High Vulnerability in\u00a0the runc package'\nnumber: '2024-016'\nversion: '1.0'\noriginal_date: 'January 31, 2024'\ndate: 'February 6, 2024'\n---\n\n_History:_\n\n* _06/02/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nA critical vulnerability has been identified in all versions of **runc** package up to and including 1.1.11, affecting Docker, Kubernetes, and other containerisation technologies [1,2]. This vulnerability, tracked as `CVE-2024-21626` with a CVSS score of 8.6, enables attackers to escape containers and potentially gain unauthorised access to the host operating system.\n\n# Technical Details\n\nThe vulnerability `CVE-2024-21626` arises from an internal file descriptor leak within runc, a core component for running containers according to the Open Container Initiative (OCI) standards.\n\nThe vulnerability manifests through the improper handling of file descriptors and the `WORKDIR` directive in Dockerfiles, allowing a container process to maintain access to privileged host directory file descriptors. \n\nAttackers can exploit this by manipulating the container's working directory to point to these file descriptors, gaining the ability to read from or write to the host filesystem.\n\n# Affected Products\n\nThis vulnerability impacts systems running runc version 1.1.11 and earlier. Due to runc's widespread use in container runtimes like Docker and Kubernetes, a significant number of containerised environments may be vulnerable.\n\n# Recommendations\n\nCERT-EU recommends upgrading to runc version 1.1.12, which includes patches for this issue. Additionally, technologies that incorporate runc should be updated to their latest patched versions. Following vendor advisories and applying updates for container hosting services and infrastructure is also advised.\n\n# References\n\n[1] <https://snyk.io/fr/blog/cve-2024-21626-runc-process-cwd-container-breakout/>\n\n[2] <https://threatprotect.qualys.com/2024/02/02/docker-patches-multiple-vulnerabilities-impacting-runc-buildkit-and-moby-leaky-vessels/>\n\n[3] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-21626)>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>06/02/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>A critical vulnerability has been identified in all versions of <strong>runc</strong> package up to and including 1.1.11, affecting Docker, Kubernetes, and other containerisation technologies [1,2]. This vulnerability, tracked as <code>CVE-2024-21626</code> with a CVSS score of 8.6, enables attackers to escape containers and potentially gain unauthorised access to the host operating system.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <code>CVE-2024-21626</code> arises from an internal file descriptor leak within runc, a core component for running containers according to the Open Container Initiative (OCI) standards.</p><p>The vulnerability manifests through the improper handling of file descriptors and the <code>WORKDIR</code> directive in Dockerfiles, allowing a container process to maintain access to privileged host directory file descriptors. </p><p>Attackers can exploit this by manipulating the container's working directory to point to these file descriptors, gaining the ability to read from or write to the host filesystem.</p><h2 id=\"affected-products\">Affected Products</h2><p>This vulnerability impacts systems running runc version 1.1.11 and earlier. Due to runc's widespread use in container runtimes like Docker and Kubernetes, a significant number of containerised environments may be vulnerable.</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends upgrading to runc version 1.1.12, which includes patches for this issue. Additionally, technologies that incorporate runc should be updated to their latest patched versions. Following vendor advisories and applying updates for container hosting services and infrastructure is also advised.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://snyk.io/fr/blog/cve-2024-21626-runc-process-cwd-container-breakout/\">https://snyk.io/fr/blog/cve-2024-21626-runc-process-cwd-container-breakout/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://threatprotect.qualys.com/2024/02/02/docker-patches-multiple-vulnerabilities-impacting-runc-buildkit-and-moby-leaky-vessels/\">https://threatprotect.qualys.com/2024/02/02/docker-patches-multiple-vulnerabilities-impacting-runc-buildkit-and-moby-leaky-vessels/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-21626)\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-21626)</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}