Skip to main content
Version: latest

CVE-2024-21626

CVE Details

CVE-2024-21626

Last Update

11/7/2024

NIST CVE Summary

runc is a CLI tool for spawning and using containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

Our Official Summary

A file descriptor leak issue was found in the runc package. These vulnerabilities not only enable malicious actors to escape containerized environments but also allow for full control over the underlying host system. The presence of these dependencies in the container does not imply a security risk to the containerized application itself, as it is based on low-level packages included, and the impact to the container's core functionality is minimal. Upstream fix from the 3rd party vendors is awaited. We are waiting on an upstream fix from the 3rd party vendors and will upgrade the images once the upstream fix becomes available.

CVE Severity

8.6

Status

Ongoing

Affected Products & Versions

  • Palette VerteX airgap 4.4.14, 4.4.18, 4.5.3
  • Palette Enterprise airgap 4.4.18, 4.5.3, 4.5.8
  • Palette VerteX 4.5.3
  • Palette Enterprise 4.5.3, 4.5.8

Revision History

  • 1.0 08/16/2024 Initial Publication
  • 2.0 08/17/2024 Added Palette VerteX airgap 4.4.14 to Affected Products
  • 3.0 09/17/2024 Added Palette VerteX airgap 4.4.18 & Palette Enterprise airgap 4.4.18 to Affected Products
  • 4.0 10/10/2024 Added Palette VerteX airgap 4.5.3 & Palette Enterprise airgap 4.5.3 to Affected Products
  • 5.0 10/14/2024 Added Palette Enterprise & Palette VerteX 4.5.3 to Affected Products
  • 6.0 11/7/2024 Added Palette Enterprise & Palette Enterprise airgap 4.5.8 to Affected Products