Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice of runC systemd Attribute Injection Vulnerability (CVE-2024-3154)
Updated on 2024-11-11 GMT+08:00

Notice of runC systemd Attribute Injection Vulnerability (CVE-2024-3154)

Security experts in the industry have revealed a vulnerability in runC related to systemd attribute injection (CVE-024-3154). This vulnerability enables attackers to insert harmful systemd attributes (such as ExecStartPre, ExecStart, and ExecReload) into pod annotations, granting them the ability to execute any action on the host.

Description

Table 1 Vulnerability details

Type

CVE-ID

Severity

Discovered

Code execution

CVE-2024-3154

Critical

2024-04-26

Impact

Attackers exploit the runC systemd cgroup functionality to insert harmful systemd attributes (such as ExecStartPre, ExecStart, and ExecReload) into pod annotations, allowing them to execute any action on the host.

CCE clusters are not affected by this vulnerability, because the runC systemd cgroup feature is not in use.

Identification Method

You can run commands on a node to view the cgroup used by the container engine.

  • For a node whose container engine is containerd, run the following command:
    crictl info |grep -i systemdCgroup

    The following is an example command output:

    "systemdCgroup": false
  • For a node whose container engine is docker, run the following command:
    docker info |grep "Cgroup"

    The following is an example command output:

    Cgroup Driver: cgroupfs

Based on the information provided, it appears that the container engine uses cgroupfs and not the systemd cgroup. Therefore, the container engine is not affected by this vulnerability.

Solution

The runC systemd cgroup feature is not enabled for Huawei Cloud CCE clusters. Therefore, the clusters are not affected by the vulnerability CVE-2024-3154.