Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nNXA2LTMyN20tM2Z4eM4AA5Bp
Talos Linux ships runc vulnerable to the escape to the host attack
Impact
Snyk has discovered a vulnerability in all versions of runc <=1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes. Exploitation of this issue can result in container escape to the underlying host OS, either through executing a malicious image or building an image using a malicious Dockerfile or upstream image (i.e., when using FROM). This issue has been assigned the CVE-2024-21626.
Patches
runc runtime was updated to 1.1.12 in Talos v1.5.6 and v1.6.4.
Workarounds
Inspect the workloads running on the cluster to make sure they are not trying to exploit the vulnerability.
References
Permalink: https://github.com/advisories/GHSA-g5p6-327m-3fxxJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nNXA2LTMyN20tM2Z4eM4AA5Bp
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Identifiers: GHSA-g5p6-327m-3fxx
References:
- https://github.com/siderolabs/talos/security/advisories/GHSA-g5p6-327m-3fxx
- https://github.com/advisories/GHSA-g5p6-327m-3fxx
Blast Radius: 0.0
Affected Packages
go:github.com/siderolabs/talos
Dependent packages: 1Dependent repositories: 1
Downloads:
Affected Version Ranges: < 1.5.6, >= 1.6.0, < 1.6.4
Fixed in: 1.5.6, 1.6.4
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.8.5, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3
All unaffected versions: 1.5.6, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.7.0, 1.7.1