Runc symbolic link mount and container escape vulnerability alert (cve-2021-30465)

runC Is a basis OCI（Open Container Initiative） Standard for creating and running containers CLI Tools , at present Docker The interior of the engine is also based on runc Built . 2019 year 2 month 11 Japan , Researchers passed oss-security Mailing list, （https://www.openwall.com/list… ） Disclosed runc Details of the container escape vulnerability , according to OpenWall The provisions of the EXP Will be in 7 Days later 2019 year 2 month 18 Open to the public .

This vulnerability may allow for root The container running as executes arbitrary code on the host as a privileged user . actually , This means that the container may break Docker host （ Cover Runc CLI）, All you need is to be able to use root To run the container . Attackers can use infected Docker Mirror or run against an uninfected, running container exec command . Known mitigation measures for this problem include ：

• Run with a read-only host file system
• Run user namespace
• Not running in a container root
• Correctly configured AppArmor / SELinux Strategy （ The current default policy is insufficient ）

Rancher The team responded immediately

After receiving the disclosure email ,RancherOS The team immediately tried to script the attack , Running a very simple script in a common container completes the attack on the host , Put the runc Replaced with another program .

After the vulnerability is disclosed ,Docker It was released at the first time 18.09.2, Users can upgrade to this version to fix this vulnerability .Rancher Labs The R & D team also responded immediately , Released Rancher v2.1.6、v2.0.11 and v1.6.26, These three new versions Rancher Support Docker Just released 18.09.2,Rancher Users can upgrade Docker Version to prevent being affected by this security vulnerability .

Can't upgrade Docker What about the version

Usually due to various factors , Many users' production environments are not easy to upgrade too new Docker edition .

To help, I can't follow Docker The official recommendation is to upgrade to the latest version Docker 18.09.2 Of users to solve this problem ,Rancher Labs The team goes further , The fix has been reverse ported to all versions of Docker, by Docker 1.12.6、1.13.1、17.03.2、17.06.2、17.09.1、18.03.1 and 18.06.1 Provide patches , Fix this vulnerability ！ Relevant patches and installation instructions , Please refer to ：

https://github.com/rancher/ru….

Container services Runc Loophole （CVE-2021-30465） Repair instructions - Dynamics and announcements - Document center - Tencent cloud Vulnerability details component ：runc Vulnerability name ：runc Path traversal vulnerability CVE Number ：CVE-2021-30465 Repair strategy ： take runc Upgrade to 1.0.0-rc95 And above . Repair progress TKE stay 2021 year 9 The leakage was completed for incremental nodes in January https://cloud.tencent.com/document/product/457/72048