On January 31st, Snyk Security Labs discovered four vulnerabilities, called "Leaky Vessels," in core container components, enabling unauthorized access to the host OS from within the container. One vulnerability (CVE-2024-21626) in runc allows a container breakout. Users are urged to check for updates from container tool vendors and promptly upgrade. The other three vulnerabilities (CVE-2024-23651, CVE-2024-23653, CVE-2024-23652) also pose risks of container escapes.
Templafy ESS setup exclusively utilizes images from Azure Kubernetes Services, Templafy, and cert-manager (relevant only to customer-hosted ESS), minimizing the risk of compromise.
Templafy's infrastructure relies on containerd, and the identified issue has been addressed in version 1.6.28
Microsoft is actively addressing the vulnerability by updating the containerd version. The resolution is expected in the 202401.17.1 version, currently operational in West Central US clusters. It will be deployed across all other regions within the next two weeks.
Actions required:
1. For Templafy ESS (Templafy Hosted):
The patch will automatically be implemented upon Microsoft's cluster version update.
2. For Templafy ESS (Customer Hosted) with Auto-Update Enabled:
The patch will automatically be implemented upon Microsoft's cluster version update.
3. For Templafy ESS (Customer Hosted) without Auto-Update Enabled:
Manual upgrade of containerd version is necessary. To do so, follow these steps in Kubernetes Services:
1. Click on Node pools
2. Click into one of the nodes
3. Click on "Update Image"
4. If there is a "Later version" greater than the current version, click on "Update Image" to start the upgrade process.
We are committed to keeping you informed. Updates and relevant changes will be reflected in this article.
Comments
Article is closed for comments.