OpenShift Container Platform 4.14 update for runc

1) Security features bypass

EUVDB-ID: #VU85991

Risk: High

CVSSv4.0: 7.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2024-21626

CWE-ID: CWE-254 - Security Features

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to an internal file descriptor leak that can cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace or a malicious image to allow a container process to gain access to the host filesystem through runc run. A remote attacker can trick the victim into loading a malicious image to bypass sandbox restrictions and execute arbitrary code on the host OS.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat OpenShift Container Platform: 4.14.0 - 4.14.10

spdlog (Red Hat package): before 1.13.0-1.rhaos4.14.el9

runc (Red Hat package): before 1.1.12-1.rhaos4.14.el8

ose-aws-ecr-image-credential-provider (Red Hat package): before 4.14.0-202401261353.p0.g607e2dd.assembly.stream.el8

openstack-ironic-python-agent (Red Hat package): before 9.6.1-0.20240103100525.3197b9d.el9

openshift (Red Hat package): before 4.14.0-202401231033.p0.g28ed2d7.assembly.stream.el8

crun (Red Hat package): before 1.14-1.rhaos4.14.el8

cri-tools (Red Hat package): before 1.27.0-3.el8

container-selinux (Red Hat package): before 2.226.0-1.rhaos4.14.el8

kernel-rt (Red Hat package): before 5.14.0-284.50.1.rt14.335.el9_2

kernel (Red Hat package): before 5.14.0-284.50.1.el9_2

CPE2.3

• cpe:2.3:a:red_hat:red_hat_openshift_container_platform:4.14.10:*:*:*:*:*:*:*
• cpe:2.3:o:red_hat:spdlog_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:runc_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:ose-aws-ecr-image-credential-provider_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:openstack-ironic-python-agent_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:openshift_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:crun_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:cri-tools_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:container-selinux_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:kernel-rt_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
• cpe:2.3:o:red_hat:kernel_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*

External links

https://access.redhat.com/errata/RHSA-2024:0645

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.