Bug 2258725 (CVE-2024-21626, Leaky-Vessels) - CVE-2024-21626 runc: file descriptor leak
Summary: CVE-2024-21626 runc: file descriptor leak
Keywords:
Status: NEW
Alias: CVE-2024-21626, Leaky-Vessels
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2318164 2318182 2318184 2318185 2262166 2318163 2318165 2318166 2318167 2318168 2318169 2318170 2318171 2318172 2318173 2318174 2318175 2318176 2318177 2318178 2318179 2318180 2318181 2318183 2318186 2318187 2318188 2318189 2318190 2318191
Blocks: 2258742
TreeView+ depends on / blocked
 
Reported: 2024-01-17 05:00 UTC by Avinash Hanwate
Modified: 2025-03-31 12:02 UTC (History)
40 users (show)

Fixed In Version: runc 1.1.12
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0821 0 None None None 2024-02-14 21:32:19 UTC
Red Hat Product Errata RHBA-2024:0859 0 None None None 2024-02-19 01:15:27 UTC
Red Hat Product Errata RHBA-2024:0860 0 None None None 2024-02-19 01:58:59 UTC
Red Hat Product Errata RHSA-2023:7201 0 None None None 2024-02-27 22:28:58 UTC
Red Hat Product Errata RHSA-2024:0645 0 None None None 2024-02-08 19:22:00 UTC
Red Hat Product Errata RHSA-2024:0662 0 None None None 2024-02-08 18:47:05 UTC
Red Hat Product Errata RHSA-2024:0666 0 None None None 2024-02-08 19:48:08 UTC
Red Hat Product Errata RHSA-2024:0670 0 None None None 2024-02-02 21:01:04 UTC
Red Hat Product Errata RHSA-2024:0682 0 None None None 2024-02-08 18:42:51 UTC
Red Hat Product Errata RHSA-2024:0684 0 None None None 2024-02-08 19:21:07 UTC
Red Hat Product Errata RHSA-2024:0717 0 None None None 2024-02-07 13:29:52 UTC
Red Hat Product Errata RHSA-2024:0748 0 None None None 2024-02-08 18:20:21 UTC
Red Hat Product Errata RHSA-2024:0752 0 None None None 2024-02-08 18:30:18 UTC
Red Hat Product Errata RHSA-2024:0755 0 None None None 2024-02-08 18:32:30 UTC
Red Hat Product Errata RHSA-2024:0756 0 None None None 2024-02-08 18:19:48 UTC
Red Hat Product Errata RHSA-2024:0757 0 None None None 2024-02-08 18:33:04 UTC
Red Hat Product Errata RHSA-2024:0758 0 None None None 2024-02-08 18:34:15 UTC
Red Hat Product Errata RHSA-2024:0759 0 None None None 2024-02-08 18:34:09 UTC
Red Hat Product Errata RHSA-2024:0760 0 None None None 2024-02-08 18:32:54 UTC
Red Hat Product Errata RHSA-2024:0764 0 None None None 2024-02-08 19:49:17 UTC
Red Hat Product Errata RHSA-2024:10149 0 None None None 2024-11-26 19:16:45 UTC
Red Hat Product Errata RHSA-2024:10520 0 None None None 2024-12-03 18:39:07 UTC
Red Hat Product Errata RHSA-2024:10525 0 None None None 2024-12-05 00:58:33 UTC
Red Hat Product Errata RHSA-2024:10841 0 None None None 2024-12-12 02:11:49 UTC
Red Hat Product Errata RHSA-2024:1270 0 None None None 2024-03-12 11:58:52 UTC
Red Hat Product Errata RHSA-2024:4597 0 None None None 2024-07-17 18:46:59 UTC
Red Hat Product Errata RHSA-2025:0115 0 None None None 2025-01-14 09:52:51 UTC
Red Hat Product Errata RHSA-2025:0650 0 None None None 2025-01-29 00:56:26 UTC
Red Hat Product Errata RHSA-2025:1711 0 None None None 2025-02-27 04:27:30 UTC
Red Hat Product Errata RHSA-2025:2441 0 None None None 2025-03-13 16:30:04 UTC
Red Hat Product Errata RHSA-2025:2701 0 None None None 2025-03-20 07:01:57 UTC
Red Hat Product Errata RHSA-2025:2710 0 None None None 2025-03-19 20:55:05 UTC

Description Avinash Hanwate 2024-01-17 05:00:08 UTC 
The core issue is a file descriptor leak, and while we do `O_CLOEXEC` all file descriptors before executing the container code, the file descriptor is open when doing `setcwd(2)` which means that the reference can be kept alive into the container by configuring the working directory to be a path resolved through the file descriptor (and the non-dumpable bit is unset after `execve` meaning that there are multiple ways to attack this other than bad configurations).

There is also an `execve`-based attack that makes simple verification unworkable was particularly hairy to fix (the patch involves doing `//go:linkname` to access Go runtime internals, because the only way to defend against it entirely is to close all unneeded file descriptors -- for the same reason that #!-based tricks meant that CVE-2019-5736 required drastic measures).
Comment 4 Pedro Sampaio 2024-01-31 21:31:54 UTC 
Created runc tracking bugs for this issue:

Affects: fedora-all [bug 2262166]
Comment 9 errata-xmlrpc 2024-02-02 21:01:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0670 https://access.redhat.com/errata/RHSA-2024:0670
Comment 11 errata-xmlrpc 2024-02-07 13:29:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2024:0717 https://access.redhat.com/errata/RHSA-2024:0717
Comment 12 errata-xmlrpc 2024-02-08 18:19:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:0756 https://access.redhat.com/errata/RHSA-2024:0756
Comment 13 errata-xmlrpc 2024-02-08 18:20:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0748 https://access.redhat.com/errata/RHSA-2024:0748
Comment 14 errata-xmlrpc 2024-02-08 18:30:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0752 https://access.redhat.com/errata/RHSA-2024:0752
Comment 15 errata-xmlrpc 2024-02-08 18:32:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0755 https://access.redhat.com/errata/RHSA-2024:0755
Comment 16 errata-xmlrpc 2024-02-08 18:32:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0760 https://access.redhat.com/errata/RHSA-2024:0760
Comment 17 errata-xmlrpc 2024-02-08 18:33:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0757 https://access.redhat.com/errata/RHSA-2024:0757
Comment 18 errata-xmlrpc 2024-02-08 18:34:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0759 https://access.redhat.com/errata/RHSA-2024:0759
Comment 19 errata-xmlrpc 2024-02-08 18:34:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:0758 https://access.redhat.com/errata/RHSA-2024:0758
Comment 20 errata-xmlrpc 2024-02-08 18:42:48 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2024:0682 https://access.redhat.com/errata/RHSA-2024:0682
Comment 21 errata-xmlrpc 2024-02-08 18:47:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0662 https://access.redhat.com/errata/RHSA-2024:0662
Comment 22 errata-xmlrpc 2024-02-08 19:21:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2024:0684 https://access.redhat.com/errata/RHSA-2024:0684
Comment 23 errata-xmlrpc 2024-02-08 19:21:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0645 https://access.redhat.com/errata/RHSA-2024:0645
Comment 24 errata-xmlrpc 2024-02-08 19:48:06 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0666 https://access.redhat.com/errata/RHSA-2024:0666
Comment 25 errata-xmlrpc 2024-02-08 19:49:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0764 https://access.redhat.com/errata/RHSA-2024:0764
Comment 27 errata-xmlrpc 2024-02-27 22:28:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201
Comment 31 errata-xmlrpc 2024-03-12 11:58:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2024:1270 https://access.redhat.com/errata/RHSA-2024:1270
Comment 36 Gandhimathy 2024-04-17 12:19:58 UTC 
Hi All,
Seeing this vulnerability reported against the package "github.com/opencontainers/runc" which is bundled with either RedHat 8.9 minimial or OSE.

Looking for a fix at the earliest as it is blocking our monthly release.

Thanks & Regards,
Gandhi.

IBM MQ Container - Security Lead.
Comment 39 errata-xmlrpc 2024-07-17 18:46:56 UTC 
This issue has been addressed in the following products:

  OCP-Tools-4.15-RHEL-8

Via RHSA-2024:4597 https://access.redhat.com/errata/RHSA-2024:4597
Comment 40 errata-xmlrpc 2024-11-26 19:16:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:10149 https://access.redhat.com/errata/RHSA-2024:10149
Comment 42 errata-xmlrpc 2024-12-03 18:39:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2024:10520 https://access.redhat.com/errata/RHSA-2024:10520
Comment 43 errata-xmlrpc 2024-12-05 00:58:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:10525 https://access.redhat.com/errata/RHSA-2024:10525
Comment 44 errata-xmlrpc 2024-12-12 02:11:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:10841 https://access.redhat.com/errata/RHSA-2024:10841
Comment 45 errata-xmlrpc 2025-01-14 09:52:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:0115 https://access.redhat.com/errata/RHSA-2025:0115
Comment 46 errata-xmlrpc 2025-01-29 00:56:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:0650 https://access.redhat.com/errata/RHSA-2025:0650
Comment 50 errata-xmlrpc 2025-02-27 04:27:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2025:1711 https://access.redhat.com/errata/RHSA-2025:1711
Comment 51 errata-xmlrpc 2025-03-13 16:30:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:2441 https://access.redhat.com/errata/RHSA-2025:2441
Comment 52 errata-xmlrpc 2025-03-19 20:55:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:2710 https://access.redhat.com/errata/RHSA-2025:2710
Comment 53 errata-xmlrpc 2025-03-20 07:01:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2025:2701 https://access.redhat.com/errata/RHSA-2025:2701
Note You need to log in before you can comment on or make changes to this bug.