We have updated our Privacy Policy, effective from 25 September 2024. It’s available here

< BLOG HOME

k0s patches container escape vulnerability

image

k0s today patched a container escape vulnerability in runc (CVE-2024-21626) that allows hackers to compromise the host filesystem and cause container breakouts. The vulnerability, which is rated high severity by the National Institute of Standards and Technology and Open Container Initiative, results from an internal file descriptor leak. The flaw affects most container systems, as runc is the industry-standard container runtime and underlies Docker, containerd, and CRI-O.

To our knowledge, k0s is the first Kubernetes distribution to release patches to fix this problem. Fast CVE fixes are business as usual for k0s, as we guarantee our paying customers that we will mitigate critical vulnerabilities within three business days. However, given the nature of the issue and some upstream discussions about one of the attacks being so critical, we wanted to fix this super fast anyway.

k0s users can access the hotfixes from GitHub here.

There are two ways users can apply the update: 

  • k0s Autopilot - Clusters self-update according to predefined plans. See documentation.

  • k0sctl - Clusters update through a configuration file that describes the desired state of the cluster. When you pass the description of the k0sctl apply command, a discovery of the current state is performed, and the system does whatever is necessary to bring the cluster to the updated release. See documentation.

Mirantis has also prepared and is currently testing a patch for Mirantis Container Runtime, which is expected to be available in the next few days.

Mirantis simplifies Kubernetes.

From the world’s most popular Kubernetes IDE to fully managed services and training, we can help you at every step of your K8s journey.

Connect with a Mirantis expert to learn how we can help you.

CONTACT US

Join Our Exclusive Newsletter

Get cloud-native insights and expert commentary straight to your inbox.

SUBSCRIBE NOW