tencent cloud

Feedback

Runc Vulnerability (CVE-2021-30465) Fix Description

Last updated: 2022-06-10 16:48:44

    Vulnerability Details

    Add-on: runC
    Vulnerability Name: runC path traversal vulnerability
    CVE No.: CVE-2021-30465
    Fix Policy: Upgrade runC to 1.0.0-rc95 or later.

    Fix Progress

    1. The vulnerability was fixed for incremental nodes in September 2021 in TKE.
    2. For legacy nodes, see the following upgrade script and fix the vulnerability during off-peak hours to avoid affecting the business stability.
      Note:

      Upgrading the runC add-on will not restart the business Pod.

      #!/bin/bash
      util::is_docker() {
      if command -v docker 1>/dev/null 2>&1; then
          RUNTIME="docker"
          return 0
      else
          return 1
      fi
      }
      wget http://static.ccs.tencentyun.com/docker-19.03.9-install-1.2.tgz
      tar -zxf docker-19.03.9-install-1.2.tgz
      if ! docker-19.03/bin/runc --version; then 
      echo "unmatch libseccomp version"
      # Get OS distribution
      OS_RELEASE="$(. /etc/os-release && echo "$ID")"
      OS_VERSION="$(. /etc/os-release && echo "$VERSION_ID")"
       if [ "ubuntu" = "${OS_RELEASE}" ]; then
       apt-get install libseccomp2
      else 
       yum install -y libseccomp
      fi
      fi
      if ! docker-19.03/bin/runc --version; then 
      echo "bad libseccomp version"
      exit 1;
      fi
      if util::is_docker; then
      cp docker-19.03/bin/runc /usr/bin/docker-runc
      cp docker-19.03/bin/runc /usr/bin/runc
      else
      cp docker-19.03/bin/runc /usr/local/sbin/runc
      fi
      rm -r    docker-19.03
      rm       docker-19.03.9-install-1.2.tgz
      
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support