Docs
uk8s
Vulnerability Tracking
CVE-2021-30465

CVE-2021-30465

Vulnerability Description

Runc is a CLI tool for creating and managing containers according to the OCI specification. This tool is widely utilized in various container environments, including Kubernetes. The vulnerability arises when an attacker sets the target mount path to a symbolic link of a container volume’s directory on the host, thereby gaining unauthorized access to the host’s mount point. By controlling the source path of the mount, the attacker can link a sub-directory within this path to the root directory of the host. This exploitation relies on a specific race condition known as TOCTTOU (Time Of Check To Time Of Use), which, under certain circumstances, allows a designated directory in the malicious container to be mounted to the host directory.

Affected Versions

Docker versions below 20.10.7
Containerd versions below 1.4.6, 1.5.2
Runc versions below 1.0-rc95
The default Docker and Containerd versions currently used by UK8S nodes are within the affected range.

Vulnerability Self-check

To verify the version used by the node, you can use any of the following methods\

  1. Directly execute kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.nodeInfo.containerRuntimeVersion}{"\n"}{end}'\
  2. Log into the node, for Docker nodes, execute docker version. For Containerd nodes, execute crictl version

⚠️ Clusters created before July 9, 2020, do not include the Master node by default, so you can skip the Master node check.

Repair Suggestions

  1. Confirm the business deployment method, use trusted containers. There are no symbolic links to other paths inside the host in the container mount directory.\
  2. From January 14, 2022, the added nodes and new clusters of version 1.17 and above will use the repaired Docker and Containerd versions by default.\
  3. Due to compatibility issues, clusters below version 1.17 are no longer maintained. We recommend that you upgrade to version 1.17 and above as soon as possible, or avoid this vulnerability by checking business deployment.\
  4. For old nodes of clusters of version 1.17 and above, you can upgrade by adding new nodes, evicting Pods from old nodes, and deleting old nodes. Please ensure that the Pod is running normally on the new node before deleting the old node.\
  5. Since the Master node cannot be upgraded by adding and deleting nodes, please upgrade according to the manual upgrade plan.

Manual Upgrade Plan

  1. Follow the Vulnerability Self-check steps to check if the node needs to be upgraded.
  2. Execute kubectl drain --ignore-daemonsets <node> Evict all pods on the node, manually evict the Pod. In some cases, you may need to add the --delete-emptydir-data parameter. Wait for the Pod eviction to complete before carrying out the following upgrade operations.
  3. Refer to the Upgrade Docker and Containerd section of this article, according to your node type and whether the node runtime is Docker or Containerd. Choose the corresponding upgrade method to operate.
  4. For Docker nodes, execute docker version. For Containerd nodes, execute crictl version, confirm the current node runtime version number.
  5. [Optional] For worker nodes, not Master nodes, you can execute kubectl uncordon <node> after the upgrade is completed. This will rejoin the node to the cluster.

Upgrade Docker and Containerd

⚠️ Installing Docker on a Containerd node by mistake will render the node unusable.

Centos7

Docker Node
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-rootless-extras-20.10.11-3.el7.x86_64.rpm
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-20.10.11-3.el7.x86_64.rpm
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.4.12-3.1.el7.x86_64.rpm
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-ce-cli-20.10.11-3.el7.x86_64.rpm
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/docker-scan-plugin-0.9.0-3.el7.x86_64.rpm
yum install -y fuse-overlayfs slirp4netns
rpm -U containerd.io-1.4.12-3.1.el7.x86_64.rpm  docker-ce-20.10.11-3.el7.x86_64.rpm docker-ce-rootless-extras-20.10.11-3.el7.x86_64.rpm   docker-scan-plugin-0.9.0-3.el7.x86_64.rpm  docker-ce-cli-20.10.11-3.el7.x86_64.rpm
Containerd Node
wget https://download.docker.com/linux/centos/7/x86_64/stable/Packages/containerd.io-1.4.12-3.1.el7.x86_64.rpm
rpm -U containerd.io-1.4.12-3.1.el7.x86_64.rpm

Ubuntu 20.04

Docker Node
wget https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/docker-ce_20.10.11~3-0~ubuntu-focal_amd64.deb
wget https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/containerd.io_1.4.12-1_amd64.deb
wget https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/docker-ce-cli_20.10.11~3-0~ubuntu-focal_amd64.deb
dpkg -i docker-ce_20.10.11~3-0~ubuntu-focal_amd64.deb containerd.io_1.4.12-1_amd64.deb docker-ce-cli_20.10.11~3-0~ubuntu-focal_amd64.deb
Containerd Node
wget https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/containerd.io_1.4.12-1_amd64.deb
dpkg -i containerd.io_1.4.12-1_amd64.deb

Ubuntu 18.04

Docker Node
wget https://download.docker.com/linux/ubuntu/dists/bionic/pool/stable/amd64/docker-ce_20.10.11~3-0~ubuntu-bionic_amd64.deb
wget https://download.docker.com/linux/ubuntu/dists/bionic/pool/stable/amd64/containerd.io_1.4.12-1_amd64.deb
wget https://download.docker.com/linux/ubuntu/dists/bionic/pool/stable/amd64/docker-ce-cli_20.10.11~3-0~ubuntu-bionic_amd64.deb
dpkg -i docker-ce_20.10.11~3-0~ubuntu-bionic_amd64.deb  containerd.io_1.4.12-1_amd64.deb  docker-ce-cli_20.10.11~3-0~ubuntu-bionic_amd64.deb
Containerd Node
wget https://download.docker.com/linux/ubuntu/dists/bionic/pool/stable/amd64/containerd.io_1.4.12-1_amd64.deb
dpkg -i containerd.io_1.4.12-1_amd64.deb

Vulnerability Prototype Link

  1. https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r
CVE-2019-9512-9514