Jump to content

Vulnerability in runc allows escape from Docker and Kubernetes containers

Recommended Posts

A vulnerability (https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv) CVE-2024-21626 has been found in the runc isolated container toolkit (https://github.com/opencontainers/runc/) that allows access to the file system of a host environment from within an isolated container. During an attack, an attacker could overwrite some executable files in the host environment and thus achieve execution of his code outside the container.

The vulnerability has been fixed in the runc 1.1.12 release (https://github.com/opencontainers/runc/releases/tag/v1.1.12).

In the case of Docker or Kubernetes, the attack can be accomplished by preparing a specially crafted container image, after installing and running it from the container it is possible to access an external FS. With Docker, it is possible to exploit via a specially designed Dockerfile.

In addition, five more vulnerabilities (CVE-2024-23651, CVE-2024-23652, CVE-2024-23653, CVE-2024-23650, CVE-2024-24557) have been identified (https://www.docker.com/blog/docker-security-advisory-multiple-vulnerabilities-in-runc-buildkit-and-moby/) in Docker toolkit components, which have already been fixed.


Link to comment
Share on other sites

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...

Important Information

By using this site you automatically agree to the Privacy Policy | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.