tencent cloud

Vulnerability Details

Add-on: runC
Vulnerability Name: runC path traversal vulnerability
CVE No.: CVE-2021-30465
Fix Policy: Upgrade runC to 1.0.0-rc95 or later.

Fix Progress

1. The vulnerability was fixed for incremental nodes in September 2021 in TKE.
2. For legacy nodes, see the following upgrade script and fix the vulnerability during off-peak hours to avoid affecting the business stability.

   Note：

   Upgrading the runC add-on will not restart the business Pod.

   #!/bin/bash
   util::is_docker() {
   if command -v docker 1>/dev/null 2>&1; then
       RUNTIME="docker"
       return 0
   else
       return 1
   fi
   }
   wget http://static.ccs.tencentyun.com/docker-19.03.9-install-1.2.tgz
   tar -zxf docker-19.03.9-install-1.2.tgz
   if ! docker-19.03/bin/runc --version; then 
   echo "unmatch libseccomp version"
   # Get OS distribution
   OS_RELEASE="$(. /etc/os-release && echo "$ID")"
   OS_VERSION="$(. /etc/os-release && echo "$VERSION_ID")"
    if [ "ubuntu" = "${OS_RELEASE}" ]; then
    apt-get install libseccomp2
   else 
    yum install -y libseccomp
   fi
   fi
   if ! docker-19.03/bin/runc --version; then 
   echo "bad libseccomp version"
   exit 1;
   fi
   if util::is_docker; then
   cp docker-19.03/bin/runc /usr/bin/docker-runc
   cp docker-19.03/bin/runc /usr/bin/runc
   else
   cp docker-19.03/bin/runc /usr/local/sbin/runc
   fi
   rm -r    docker-19.03
   rm       docker-19.03.9-install-1.2.tgz