k0s patches container escape vulnerability
k0s today patched a container escape vulnerability in runc (CVE-2024-21626) that allows hackers to compromise the host filesystem and cause container breakouts. The vulnerability, which is rated high severity by the National Institute of Standards and Technology and Open Container Initiative, results from an internal file descriptor leak. The flaw affects most container systems, as runc is the industry-standard container runtime and underlies Docker, containerd, and CRI-O.
To our knowledge, k0s is the first Kubernetes distribution to release patches to fix this problem. Fast CVE fixes are business as usual for k0s, as we guarantee our paying customers that we will mitigate critical vulnerabilities within three business days. However, given the nature of the issue and some upstream discussions about one of the attacks being so critical, we wanted to fix this super fast anyway.
k0s users can access the hotfixes from GitHub here.
There are two ways users can apply the update:
k0s Autopilot - Clusters self-update according to predefined plans. See documentation.
k0sctl - Clusters update through a configuration file that describes the desired state of the cluster. When you pass the description of the
k0sctl applycommand, a discovery of the current state is performed, and the system does whatever is necessary to bring the cluster to the updated release. See documentation.
Mirantis has also prepared and is currently testing a patch for Mirantis Container Runtime, which is expected to be available in the next few days.
