Notice on the runC systemd Attribute Injection Vulnerability (CVE-2024-3154)

Security experts in the industry have revealed a vulnerability in runC related to systemd attribute injection (CVE-024-3154). This vulnerability enables attackers to insert harmful systemd attributes (such as ExecStartPre, ExecStart, and ExecReload) into pod annotations, granting them the ability to execute any action on the host.

Description

**Table 1** Vulnerability information
Type	CVE-ID	Severity	Discovered
Code execution	CVE-2024-3154	Critical	2024-04-26

Impact

Attackers exploit the runC systemd cgroup functionality to insert harmful systemd attributes (such as ExecStartPre, ExecStart, and ExecReload) into pod annotations, allowing them to execute any action on the host.

CCE clusters are not affected by this vulnerability, because the runC systemd cgroup feature is not in use.

Identification Method

You can run commands on a node to view the cgroup used by the container engine.

For a node whose container engine is containerd, run the following command:
```
crictl info |grep -i systemdCgroup
```
The following is an example command output:
```
"systemdCgroup": false
```
For a node whose container engine is docker, run the following command:
```
docker info |grep "Cgroup"
```
The following is an example command output:
```
Cgroup Driver: cgroupfs
```

Based on the information provided, it appears that the container engine uses cgroupfs and not the systemd cgroup. Therefore, the container engine is not affected by this vulnerability.

Solution

The runC systemd cgroup feature is not enabled for Huawei Cloud CCE clusters. Therefore, the clusters are not affected by the vulnerability CVE-2024-3154.