{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21626", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T03:00:44.953Z", "datePublished": "2024-01-31T21:31:14.391Z", "dateUpdated": "2025-02-13T17:33:15.658Z"}, "containers": {"cna": {"title": "runc container breakout through process.cwd trickery and leaked fds", "problemTypes": [{"descriptions": [{"cweId": "CWE-403", "lang": "en", "description": "CWE-403: Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-668", "lang": "en", "description": "CWE-668: Exposure of Resource to Wrong Sphere", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv"}, {"name": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf", "tags": ["x_refsource_MISC"], "url": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf"}, {"name": "https://github.com/opencontainers/runc/releases/tag/v1.1.12", "tags": ["x_refsource_MISC"], "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.12"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/01/1"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/02/3"}, {"url": "http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html"}], "affected": [{"vendor": "opencontainers", "product": "runc", "versions": [{"version": ">=v1.0.0-rc93, < 1.1.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-19T03:06:14.739Z"}, "descriptions": [{"lang": "en", "value": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (\"attack 2\"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run (\"attack 1\"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (\"attack 3a\" and \"attack 3b\"). runc 1.1.12 includes patches for this issue."}], "source": {"advisory": "GHSA-xr7r-f8xq-vfvv", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-19T07:48:05.378Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv"}, {"name": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf"}, {"name": "https://github.com/opencontainers/runc/releases/tag/v1.1.12", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.12"}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/01/1", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/02/02/3", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html", "tags": ["x_transferred"]}, {"url": "https://www.vicarius.io/vsociety/posts/leaky-vessels-part-1-cve-2024-21626"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*", "matchCriteriaId": "D656F217-AB80-4BE5-8CDC-54C53AF3DAA9", "versionEndExcluding": "1.1.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (\"attack 2\"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run (\"attack 1\"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (\"attack 3a\" and \"attack 3b\"). runc 1.1.12 includes patches for this issue. "}, {"lang": "es", "value": "runc es una herramienta CLI para generar y ejecutar contenedores en Linux de acuerdo con la especificaci\u00f3n OCI. En runc 1.1.11 y versiones anteriores, debido a una fuga interna de un descriptor de archivo, un atacante podr\u00eda provocar que un proceso contenedor reci\u00e9n generado (de runc exec) tuviera un directorio de trabajo en el espacio de nombres del sistema de archivos del host, lo que permitir\u00eda un escape del contenedor al otorgar acceso. al sistema de archivos del host (\"ataque 2\"). El mismo ataque podr\u00eda ser utilizado por una imagen maliciosa para permitir que un proceso contenedor obtenga acceso al sistema de archivos del host a trav\u00e9s de runc run (\"ataque 1\"). Las variantes de los ataques 1 y 2 tambi\u00e9n podr\u00edan usarse para sobrescribir archivos binarios de host semiarbitrarios, permitiendo escapes completos de contenedores (\"ataque 3a\" y \"ataque 3b\"). runc 1.1.12 incluye parches para este problema."}], "id": "CVE-2024-21626", "lastModified": "2024-11-21T08:54:45.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-31T22:15:53.780", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html"}, {"source": "security-advisories@github.com", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/02/01/1"}, {"source": "security-advisories@github.com", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/02/02/3"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.12"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv"}, {"source": "security-advisories@github.com", "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html"}, {"source": "security-advisories@github.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/"}, {"source": "security-advisories@github.com", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/02/01/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/02/02/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/opencontainers/runc/releases/tag/v1.1.12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.vicarius.io/vsociety/posts/leaky-vessels-part-1-cve-2024-21626"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-403"}, {"lang": "en", "value": "CWE-668"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank The Snyk Reseacher Team for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:4597", "cpe": "cpe:/a:redhat:ocp_tools:4.15::el8", "package": "jenkins-0:2.440.3.1718879390-3.el8", "product_name": "OCP-Tools-4.15-RHEL-8", "release_date": "2024-07-17T00:00:00Z"}, {"advisory": "RHSA-2024:4597", "cpe": "cpe:/a:redhat:ocp_tools:4.15::el8", "package": "jenkins-2-plugins-0:4.15.1718879538-1.el8", "product_name": "OCP-Tools-4.15-RHEL-8", "release_date": "2024-07-17T00:00:00Z"}, {"advisory": "RHSA-2024:0717", "cpe": "cpe:/a:redhat:rhel_extras_other:7", "package": "runc-0:1.0.0-70.rc10.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extras", "release_date": "2024-02-07T00:00:00Z"}, {"advisory": "RHSA-2024:1270", "cpe": "cpe:/a:redhat:rhel_extras_other:7", "package": "docker-2:1.13.1-210.git7d71120.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extras", "release_date": "2024-03-12T00:00:00Z"}, {"advisory": "RHSA-2024:0748", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:4.0-8090020240201111813.d7b6f4b7", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0752", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "container-tools:rhel8-8090020240201111839.d7b6f4b7", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0758", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "container-tools:2.0-8020020240206120705.28c38760", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0758", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "container-tools:2.0-8020020240206120705.28c38760", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0758", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "container-tools:2.0-8020020240206120705.28c38760", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0760", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "container-tools:3.0-8040020240207051234.c0c392d5", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0760", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "container-tools:3.0-8040020240207051234.c0c392d5", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0760", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "container-tools:3.0-8040020240207051234.c0c392d5", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0757", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "container-tools:4.0-8060020240205133014.3b538bd8", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0764", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "container-tools:rhel8-8060020240206151655.3b538bd8", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0759", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "container-tools:rhel8-8080020240206143933.0f77c1b7", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0670", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "runc-4:1.1.12-1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-02-02T00:00:00Z"}, {"advisory": "RHSA-2024:0756", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "runc-4:1.1.12-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0755", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "runc-4:1.1.12-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0684", "cpe": "cpe:/a:redhat:openshift:4.11::el8", "impact": "moderate", "package": "runc-3:1.1.2-3.1.rhaos4.11.el8", "product_name": "Red Hat OpenShift Container Platform 4.11", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2024:0666", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "impact": "moderate", "package": "runc-3:1.1.6-5.1.rhaos4.12.el8", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2024-02-08T00:00:00Z"}, {"advisory": "RHSA-2025:2441", "cpe": "cpe:/a:redhat:openshift:4.12::el8", "package": "openshift-enterprise-builder-container-v4.12.0-202503030130.p0.g7c2a284.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.12", "release_date": "2025-03-13T00:00:00Z"}, {"advisory": "RHSA-2024:0662", "cpe": "cpe:/a:redhat:openshift:4.13::el8", "impact": "moderate", "package": "runc-4:1.1.12-1.rhaos4.13.el8", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2024-02-07T00:00:00Z"}, {"advisory": "RHSA-2025:2701", "cpe": "cpe:/a:redhat:openshift:4.13::el8", "package": "openshift4/ose-docker-builder:v4.13.0-202503111300.p0.gb379980.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.13", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2024:0645", "cpe": "cpe:/a:redhat:openshift:4.14::el8", "impact": "moderate", "package": "runc-4:1.1.12-1.rhaos4.14.el9", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2024-02-07T00:00:00Z"}, {"advisory": "RHSA-2025:2710", "cpe": "cpe:/a:redhat:openshift:4.14::el8", "package": "openshift4/ose-docker-builder:v4.14.0-202503060906.p0.gb03f3f5.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2025-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:10525", "cpe": "cpe:/a:redhat:openshift:4.14::el9", "package": "microshift-0:4.14.42-202411280904.p0.gcf4d04f.assembly.4.14.42.el9", "product_name": "Red Hat OpenShift Container Platform 4.14", "release_date": "2024-12-05T00:00:00Z"}, {"advisory": "RHSA-2025:1711", "cpe": "cpe:/a:redhat:openshift:4.15::el8", "package": "openshift4/ose-docker-builder:v4.15.0-202502171304.p0.gb74eb6d.assembly.stream.el8", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2025-02-27T00:00:00Z"}, {"advisory": "RHSA-2024:10841", "cpe": "cpe:/a:redhat:openshift:4.15::el9", "package": "microshift-0:4.15.41-202412091343.p0.gcf9680e.assembly.4.15.41.el9", "product_name": "Red Hat OpenShift Container Platform 4.15", "release_date": "2024-12-12T00:00:00Z"}, {"advisory": "RHSA-2024:10149", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "microshift-0:4.16.24-202411220522.p0.gcc4fedc.assembly.4.16.24.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2024-11-26T00:00:00Z"}, {"advisory": "RHSA-2025:0650", "cpe": "cpe:/a:redhat:openshift:4.16::el9", "package": "openshift4/ose-docker-builder-rhel9:v4.16.0-202501160405.p0.g300d9ad.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.16", "release_date": "2025-01-29T00:00:00Z"}, {"advisory": "RHSA-2024:10520", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "microshift-0:4.17.7-202411280904.p0.g129334d.assembly.4.17.7.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2024-12-03T00:00:00Z"}, {"advisory": "RHSA-2025:0115", "cpe": "cpe:/a:redhat:openshift:4.17::el9", "package": "openshift4/ose-docker-builder-rhel9:v4.17.0-202501052337.p0.gbb33e13.assembly.stream.el9", "product_name": "Red Hat OpenShift Container Platform 4.17", "release_date": "2025-01-14T00:00:00Z"}], "bugzilla": {"description": "runc: file descriptor leak", "id": "2258725", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2258725"}, "csaw": true, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-200", "details": ["runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (\"attack 2\"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run (\"attack 1\"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (\"attack 3a\" and \"attack 3b\"). runc 1.1.12 includes patches for this issue.", "A file descriptor leak issue was found in the runc package. While a user performs `O_CLOEXEC` all file descriptors before executing the container code, the file descriptor is open when performing `setcwd(2)`, which means that the reference can be kept alive in the container by configuring the working directory to be a path resolved through the file descriptor. The non-dumpable bit is unset after `execve`, meaning there are multiple ways to attack this other than bad configurations. The only way to defend against it entirely is to close all unneeded file descriptors."], "mitigation": {"lang": "en:us", "value": "Red Hat Enterprise Linux (RHEL) and OpenShift ships with SELinux in targeted enforcing mode, which prevents the container processes from accessing host content and mitigates this attack. Dockerfiles can be inspected on the 'RUN'\u00a0and 'WORKDIR' directives to ensure that there are no escapes or malicious paths, which are an indication of compromise. Limiting access and only using trusted container images can help prevent unauthorized access and malicious attacks."}, "name": "CVE-2024-21626", "package_state": [{"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Under investigation", "package_name": "ocp-tools-4/jenkins-agent-base-rhel8", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:openshift_power_monitoring", "fix_state": "Under investigation", "package_name": "kepler-container", "product_name": "Power monitoring for Red Hat OpenShift"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Under investigation", "package_name": "buildah", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "podman", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "buildah", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "cri-o", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "cri-tools", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "openshift4/ose-aws-ebs-csi-driver-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "openshift4/ose-aws-efs-csi-driver-container-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "openshift4/ose-csi-driver-nfs-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-hyperkube-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "openshift4/ose-kube-proxy", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "openshift4/ose-node-feature-discovery", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "openshift4/ose-powervs-block-csi-driver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "openshift4/ose-sdn-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-tests", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-vmware-vsphere-csi-driver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-vsphere-csi-driver-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift4/ose-vsphere-csi-driver-syncer-rhel8", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Under investigation", "package_name": "podman", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/passt-network-binding-plugin-cni-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/passt-network-binding-plugin-sidecar-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/sidecar-shim-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-api", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-api-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-artifacts-server", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-artifacts-server-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-controller", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-controller-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-exportproxy", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-exportproxy-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-exportserver", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-exportserver-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-handler", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-handler-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-launcher", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-launcher-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-operator", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "container-native-virtualization/virt-operator-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Affected", "package_name": "container-native-virtualization/wasp-agent-rhel9", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:container_native_virtualization:4", "fix_state": "Under investigation", "package_name": "kubevirt", "product_name": "Red Hat OpenShift Virtualization 4"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Under investigation", "package_name": "quay/quay-builder-rhel8", "product_name": "Red Hat Quay 3"}], "public_date": "2024-01-31T20:01:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-21626\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-21626\nhttps://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv"], "statement": "These vulnerabilities not only enable malicious actors to escape containerized environments but also allow for full control over the underlying host system. With the widespread adoption of containerization technologies in both development and production environments, such exploits pose significant risks to data integrity, confidentiality, and system stability.\nOpenShift Container Platform ships with SELinux in targeted enforcing mode, which prevents the container processes from accessing host content and mitigates this attack, and disabling SELinux on the Openshift container platform is not supported. Hence, the impact of the Openshift Container Platform is reduced to Moderate.\nFor multicluster-engine (MCE) vulnerable versions of buildkit and runc are part of installed version of oc. However, they are not affecting the higher-level assisted-installer binary in MCE. The presence of these dependencies in the container does not imply a security risk to the containerized application itself, as it is based on low-level packages included in the oc binary, and the impact to the container's core functionality is minimal.\nThis flaw doesn't affect the OpenShift Tools & Services as the affected code is only used for testing and is not exposed to the final user.", "threat_severity": "Important"}