Help Center/ Container Guard Service/ Best Practices/ Fixing the runc Symlink Mount and Container Escape Vulnerability (CVE-2021-30465)
Updated on 2022-04-01 GMT+08:00

Fixing the runc Symlink Mount and Container Escape Vulnerability (CVE-2021-30465)

Context

runc is vulnerable to a symlink exchange attack whereby an attacker can request a seemingly-innocuous POD or container configuration that actually results in the host filesystem being bind-mounted into the container (allowing for a container escape). CVE-2021-30465 has been assigned for this vulnerability. Currently, the details and POC of this vulnerability have been disclosed and the risk is high.

If you are a runc user, check your runc version and implement timely security hardening.

Vulnerability ID

CVE-2021-30465

Vulnerability Name

runC symlink mount and container escape vulnerability

Scope of Impact

  • Affected versions: runc 1.0.0-rc94 and earlier
  • Secure version: runc 1.0.0-rc95

Official Solution

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.

Download address: https://github.com/opencontainers/runc/releases

Detecting and Fixing the Vulnerability

CGS can prevent and monitor the escape that exploited this vulnerability.

CGS monitors the status of containers in a cluster in real time, generates alarms for abnormal events, and provides solutions.

  • Check frequency

    Real-time check

  • Detection mechanism

    For details about how the vulnerability is detected, see Viewing Container Runtime Security Details.

  • Viewing detection details

    On the Runtime Security page, you can check the container escape trend chart and event list (see Figure 1), and can handle abnormal events based on the solutions provided.

    • On the Container Environment tab, you can monitor and prevent container escapes.
    • On the Container Escapes tab, you can monitor container escape behavior.
      Figure 1 Runtime security