Links

Advisory on CVE-2024-21626

Container Escape via runc

On January 31, 2024, cybersecurity company Snyk disclosed a vulnerability in all versions of runc, up to and including 1.1.11, which is utilized by the Docker engine and other containerization technologies like Kubernetes.
The runc application is used for spawning and running containers on Linux. The vulnerability enables containerized escape for attackers that execute a malicious image or build an image using a malicious Dockerfile or an upstream image.
The CVE ID CVE-2024-21626 is assigned to this vulnerability and has a High severity with Common Vulnerability Scoring System (CVSS) of 8.6 score. For more information about the technical details of the vulnerability, see the official runc advisory and the analysis by Snyk.

Impacted IONOS Cloud Products

Product Ranges
Product
Impacted
Mitigated
Patch Status
Managed Services
Managed Kubernetes
Yes
Yes
Done

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud is committed to the privacy and security of our customers' data. We are aware of this vulnerability and have already initiated the required steps to mitigate this vulnerability. We own the patching responsibilities and have already completed patching to update runc version 1.1.12.

What action can IONOS customers take to mitigate the vulnerability?

As a best practice, ensure that Docker images use trusted and verified sources. No patching is required from your end.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.