Fixing the runc Symlink Mount and Container Escape Vulnerability (CVE-2021-30465)
Context
runc is vulnerable to a symlink exchange attack whereby an attacker can request a seemingly-innocuous POD or container configuration that actually results in the host filesystem being bind-mounted into the container (allowing for a container escape). CVE-2021-30465 has been assigned for this vulnerability. Currently, the details and POC of this vulnerability have been disclosed and the risk is high.
If you are a runc user, check your runc version and implement timely security hardening.
Vulnerability ID
CVE-2021-30465
Vulnerability Name
runC symlink mount and container escape vulnerability
Scope of Impact
- Affected versions: runc 1.0.0-rc94 and earlier
- Secure version: runc 1.0.0-rc95
Official Solution
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest secure version.
Download address: https://github.com/opencontainers/runc/releases
Detecting and Fixing the Vulnerability
CGS can prevent and monitor the escape that exploited this vulnerability.
CGS monitors the status of containers in a cluster in real time, generates alarms for abnormal events, and provides solutions.
- Check frequency
Real-time check
- Detection mechanism
For details about how the vulnerability is detected, see Viewing Container Runtime Security Details.
- Viewing detection details
On the Runtime Security page, you can check the container escape trend chart and event list (see Figure 1), and can handle abnormal events based on the solutions provided.
- On the Container Environment tab, you can monitor and prevent container escapes.
- On the Container Escapes tab, you can monitor container escape behavior.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot