GCP-2024-005

Google Cloud Platform Security Advisory

Published: 2024-01-31
Reference: CVE-2024-21626

GKE

DescriptionSeverity

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

GKE Standard and Autopilot clusters are impacted.

Clusters using GKE Sandbox aren’t impacted.

What should I do?

We’re updating GKE with code to fix this vulnerability. We’ll update this bulletin when patch versions are available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container’s final working directory was inside the container’s mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node’s host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

High

GKE on VMware

DescriptionSeverity

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

Patch versions and a severity assessment for GKE on VMware are in progress. We’ll update this bulletin with that information when it’s available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container’s final working directory was inside the container’s mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node’s host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

High

GKE on AWS

DescriptionSeverity

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

Patch versions and a severity assessment for GKE on AWS are in progress. We’ll update this bulletin with that information when it’s available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container’s final working directory was inside the container’s mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node’s host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

High

GKE on Azure

DescriptionSeverity

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods on Container-Optimized OS and Ubuntu nodes might be able to gain full access to the node filesystem.

What should I do?

Patch versions and a severity assessment for GKE on Azure are in progress. We’ll update this bulletin with that information when it’s available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container’s final working directory was inside the container’s mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node’s host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

High

GKE on Bare Metal

DescriptionSeverity

A security vulnerability, CVE-2024-21626, has been discovered in runc where a user with permission to create Pods might be able to gain full access to the node filesystem.

What should I do?

Patch versions and a severity assessment for GKE on Bare Metal are in progress. We’ll update this bulletin with that information when it’s available.

What vulnerabilities are addressed by this patch?

runc is a low-level tool for spawning and running Linux containers used in Kubernetes Pods. In runc versions prior to the patches released in this security bulletin, several file descriptors were inadvertently leaked into the runc init process that runs within a container. runc also did not verify that a container’s final working directory was inside the container’s mount namespace. A malicious container image or a user with permission to run arbitrary Pods could use a combination of the leaked file descriptors and lack of working directory validation to gain access to a node’s host mount namespace and access the entire host filesystem and overwrite arbitrary binaries on the node.

High

CLICK FOR MORE INFORMATION