Skip to content

Latest commit

 

History

History
71 lines (62 loc) · 4.1 KB

0011.md

File metadata and controls

71 lines (62 loc) · 4.1 KB
Raw

Mirantis Kubernetes Engine (MKE) and CVE-2024-21626: Understanding the Impact and Mitigation

Release Date

2024-02-08

Overview

This advisory addresses the impact of CVE-2024-21626, a vulnerability identified within runc, and its implications for the Mirantis Kubernetes Engine (MKE). Given that MKE relies heavily on the Mirantis Container Runtime (MCR), this vulnerability directly impacts its operational integrity. We aim to clarify the situation, explain the mitigation steps, and provide actionable guidance for MKE users.

Vulnerability Information

CVE Identifier

CVE-2024-21626

CVSSv3.1

8.6 (High) CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWEs

CWE-403, CWE-668

Affected Product

  • MKE deployment requires installation of MCR. Older versions of MCR (<= 23.0.9) contain the vulnerability in the underlying runc (<= 1.1.11-rc1) component. Please see the MCR advisory for details. MKE deployments with MCR <= 23.0.9 require an upgrade to MCR 23.0.9-1 or later to patch runc to 1.1.11-rc1.m1.

  • No MKE Image Update Needed

    While CVE-2024-21626 might appear in vulnerability scans of your MKE images due to the dependent library, an update to MKE images is not currently required. We understand this discrepancy can be confusing. To address this and enhance transparency, we are actively working to remove unnecessary references to the vulnerability from future MKE image scans. This update is planned for upcoming MKE releases.

How to check if MKE is vulnerable

  1. Connect to each node in your MKE cluster individually using their respective Docker contexts Alternatively, access each node using SSH.
  2. Check the runc version on each node by executing the docker command 
    docker version --format '{{range .Server.Components}}{{if eq .Name "runc"}}{{.Version}}{{end}}{{end}}'
  3. If any node reports a runc version <= 1.1.11-rc1, your MKE cluster is vulnerable.

Upgrading MCR using Launchpad

If your MKE cluster is deployed with Launchpad and configuration correspond to current cluster configuration you can update MCR with Launchpad using the follow steps:

  1. Install the Launchpad v1.5.4 version or newer following the installation guide
  2. Configure MCR version 23.0.9 For example:
apiVersion: launchpad.mirantis.com/mke/v1.3
kind: mke
metadata:
....
spec:
....
  "mcr":
    "channel": "stable"
    "installURLLinux": "https://get.mirantis.com/"
    "installURLWindows": "https://get.mirantis.com/install.ps1"
    "repoURL": "https://repos.mirantis.com"
    "version": "23.0.9"
....

Note MCR version must be exactly 23.0.9 (NOT 23.0.9-1)

  1. Run Launchpad apply with --force-upgrade flag:
    • ./launchpad apply --force-upgrade
  2. Check runc version on all nodes

Upgrading MCR direcly without Launchpad

Please refer to MCR advisory for upgrading MCR steps on all vulnerable nodes. The process is the same to upgrading to any supported MCR version within a running MKE environment. After completing the upgrade, use the docker version command again (as shown in the previous section) to verify that runc has been updated to version 1.1.11-rc1.m1.

Acknowledgements

Found by Rory McNamara at Snyk

Disclosure Timeline

  • 2023-11-20: Rory McNamara initially discovered the vulnerabilities. He began the internal verification process and additional research to validate findings and build POC exploits.
  • 2024-01-02: runc CVE assigned (Github CNA).
  • 2024-01-17: runc sends an announcement to their security mailing list including the patches & embargo date of 31-Jan-2024.
  • 2024-01-24: Docker vulnerabilities CVEs assigned (GitHub CNA).
  • 2024-01-31: All four "Leaky Vessels" vulnerabilities announced publicly.
  • 2024-01-31: Runc released version 1.1.12 which fixes the vulnerabilities.
  • 2024-02-08: MCR 23.0.9-1 released