Skip to main content
Version: latest

CVE-2024-21626

CVE Details

Visit the official vulnerability details page for CVE-2024-21626 to learn more.

Initial Publication

10/25/2024

Last Update

12/16/2024

Third Party Dependency

github.com/opencontainers/runc

NIST CVE Summary

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

CVE Severity

8.6

Our Official Summary

A file descriptor leak issue was found in the runc package. These vulnerabilities not only enable malicious actors to escape containerized environments but also allow for full control over the underlying host system. The presence of these dependencies in the container does not imply a security risk to the containerized application itself, as it is based on low-level packages included, and the impact to the container's core functionality is minimal.

Upstream fix from the 3rd party vendors is awaited. We will upgrade the images once the upstream fix becomes available.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.5.15⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.11⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.10⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.8⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.5⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.5.4⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted
4.4.20⚠️ Impacted⚠️ Impacted⚠️ Impacted⚠️ Impacted

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11, 4.5.15
12/03/2024Official summary revised: A file descriptor leak issue was found in the runc package. These vulnerabilities not only enable malicious actors to escape containerized environments but also allow for full control over the underlying host system. The presence of these dependencies in the container does not imply a security risk to the containerized application itself, as it is based on low-level packages included, and the impact to the container's core functionality is minimal.Upstream fix from the 3rd party vendors is awaited. We will upgrade the images once the upstream fix becomes available.
11/29/2024Official summary revised: This vulnerability is a false positive. Although this is reported by the scanning tools on some of the components, further checks indicate the symbol/function with the vulnerability while present is not being used.
11/28/2024Advisory is now impacting.
11/27/2024Advisory is no longer impacting.
11/27/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/25/2024Advisory is now impacting.
11/25/2024Advisory is no longer impacting.
11/25/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/24/2024Advisory is now impacting.
11/24/2024Advisory is no longer impacting.
11/24/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/23/2024Advisory is now impacting.
11/23/2024Advisory is no longer impacting.
11/23/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/22/2024Advisory is now impacting.
11/22/2024Advisory is no longer impacting.
11/22/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/21/2024Advisory is now impacting.
11/20/2024Advisory is no longer impacting.
11/20/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/17/2024Advisory is now impacting.
11/17/2024Advisory is no longer impacting.
11/17/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/16/2024Advisory is now impacting.
11/16/2024Advisory is no longer impacting.
11/16/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.4.20 to 4.5.4, 4.5.5, 4.5.8, 4.4.20, 4.5.10
11/13/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.4.20
11/12/2024Advisory is now impacting.
11/11/2024Advisory is no longer impacting.
11/11/2024Official summary revised: This CVE is non impacting as the impacting symbol and/or function is not used in the product.
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
11/02/2024Advisory is now impacting.
10/31/2024Advisory is no longer impacting.
10/31/2024Official summary added
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5