Addressing CVE-2024-21626 for vSphere with Tanzu
Article ID: 323406
Updated On:
Products
VMware vSphere Kubernetes Service
Issue/Introduction
CVE-2024-21626 was recently disclosed which impacts runc 1.1.11 and earlier. It has been found that vSphere with Tanzu is leveraging the impacted runc versions and is impacted by this CVE. The statement below, taken from the official CVE description, summarizes the potential attacks and impacts to the underlying platform.
runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b").Resolution
There is no workaround that can be applied to mitigate this vulnerability.
Only by patching to the following TKr's can this vulnerability be mitigated.
These TKr's include runc 1.1.12 and containerd version 1.6.28.
TKr 1.26.13 for vSphere 8.x (Released 3/15/2024)
TKr 1.27.10 for vSphere 7.x (Released 4/5/2024)
Only by patching to the following TKr's can this vulnerability be mitigated.
These TKr's include runc 1.1.12 and containerd version 1.6.28.
TKr 1.26.13 for vSphere 8.x (Released 3/15/2024)
Note: Requires Supervisor Cluster to be at vCenter Server 8.0 U1c and later
TKr 1.27.10 for vSphere 7.x (Released 4/5/2024)
Note: Requires Supervisor Cluster to be at vCenter Server 7.0 Update 3P and later
Feedback
Yes
No
Powered by
