Security patch available for container escape vulnerability affecting Mirantis Container Runtime and Mirantis Kubernetes Engine

Mirantis has patched a container escape vulnerability in runc (CVE-2024-21626) that allows hackers to compromise the host filesystem and cause container breakouts. The vulnerability, which is rated high severity by the National Institute of Standards and Technology and Open Container Initiative, results from an internal file descriptor leak. The flaw affects Mirantis Container Runtime (MCR) and Mirantis Kubernetes Engine (MKE) through the use of the runc application to launch containers.

Mirantis fixes CVEs impacting MCR and MKE promptly to ensure a secure operating environment for our customers. While MCR requires an updated software release to fix this issue, the risk to MKE can be remediated without an updated version of MKE. MKE customers who use MCR as the container runtime should immediately upgrade to MCR version 23.0.9-1 to ensure security against this CVE, though an update to MKE itself is not required.

Further technical information on the vulnerability as well as how to upgrade and secure your MCR deployment can be found in the MCR Technical Bulletin. Likewise, information on securing MKE can be found in the MKE Technical Bulletin.

Mirantis has also prepared a security patch for k0s.