Randall DeggesJan 31, 2024
Brand new high severity container breakout vulnerability just got dropped by Snyk's security research team. Codenamed “Leaky Vessels”. Read more here: https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/
Leaky Vessels: Docker and runc Container Breakout Vulnerabilities - January 2024 | Snyk

Snyk Security Labs Team has identified four container breakout vulnerabilities in core container infrastructure components including Docker and runc, which also impacts Kubernetes.

Snyk
Show threadRandall DeggesJan 31, 2024
FYI, this is an extremely important vulnerability. It impacts a TON of software and systems on the internet. You will need to patch ASAP to protect critical infrastructure.
Show threadRandall DeggesJan 31, 2024
Want more behind the scenes info? We published a podcast interview about the new leaky vessels vulnerability here with the security researcher who found it: https://www.devseccon.com/the-secure-developer-podcast/inside-the-matrix-of-container-security-a-deep-dive-into-container-breakout-vulnerabilities
Inside The Matrix Of Container Security: A Deep Dive Into Container Breakout Vulnerabilities | DevSecCon

DevSecCon
Show threadRandall DeggesJan 31, 2024
Some press activity is starting =0 https://thehackernews.com/2024/02/runc-flaws-enable-container-escapes.html
RunC Flaws Enable Container Escapes, Granting Attackers Host Access

Critical Container Exploits Found in runC. These flaws allow attackers to break out of containers and access sensitive data or launch further attacks.

The Hacker News
Show threadRandall DeggesJan 31, 2024
Looks like AWS has already made the fixes for their services (awesome news!): https://aws.amazon.com/security/security-bulletins/AWS-2024-001/
CVE-2024-21626 - Runc container issue

Amazon Web Services, Inc.
Show threadRandall DeggesJan 31, 2024
More press: https://www.csoonline.com/article/1303004/vulnerabilities-in-docker-other-container-engines-enable-host-os-access.html
Vulnerabilities in Docker, other container engines enable host OS access

Leaky Vessels container escape vulnerabilities in Docker runc and other container runtimes potentially break the isolation layer between container and host operating system.

CSO Online
Show threadRandall DeggesJan 31, 2024
Looks like Redhat is investigating the impact on their services: https://access.redhat.com/security/cve/cve-2024-21626#cve-faq
cve-details

Show threadWinni NeessenJan 31, 2024
@rdegges Thanks for the updates and links. Good reads to have. I just checked my Arch Linux instances and they already ship the latest patched version of runc as well.
Show threadRandall Degges
@winni that’s awesome!
Jan 31, 2024 at 11:26pmWeb