Notice of runC systemd Attribute Injection Vulnerability (CVE-2024-3154)
Security experts in the industry have revealed a vulnerability in runC related to systemd attribute injection (CVE-024-3154). This vulnerability enables attackers to insert harmful systemd attributes (such as ExecStartPre, ExecStart, and ExecReload) into pod annotations, granting them the ability to execute any action on the host.
Description
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Code execution |
Critical |
2024-04-26 |
Impact
Attackers exploit the runC systemd cgroup functionality to insert harmful systemd attributes (such as ExecStartPre, ExecStart, and ExecReload) into pod annotations, allowing them to execute any action on the host.
CCE clusters are not affected by this vulnerability, because the runC systemd cgroup feature is not in use.
Identification Method
You can run commands on a node to view the cgroup used by the container engine.
- For a node whose container engine is containerd, run the following command:
crictl info |grep -i systemdCgroup
The following is an example command output:
"systemdCgroup": false
- For a node whose container engine is docker, run the following command:
docker info |grep "Cgroup"
The following is an example command output:
Cgroup Driver: cgroupfs
Based on the information provided, it appears that the container engine uses cgroupfs and not the systemd cgroup. Therefore, the container engine is not affected by this vulnerability.
Solution
The runC systemd cgroup feature is not enabled for Huawei Cloud CCE clusters. Therefore, the clusters are not affected by the vulnerability CVE-2024-3154.
Helpful Links
The runC systemd cgroup feature: https://github.com/opencontainers/runc/blob/main/docs/systemd.md#auxiliary-properties
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.