Remediating CVE-2024-21626

[olivierjh]

Snyk posted a container breakout vulnerability at the end of January that impacts container environments like docker + kubernetes (by extension, RKE2) and it looks like it can be remediated by updating the local version of runc to a newer version. That version of runc looks to be much newer than the version of runc included in docker images for RKE2's stable release channel (v1.26.12+rke2r1).

What does Rancher Labs recommend for remediating this CVE until a patch hardening the vulnerbility is developed and released?

If there's a better place to discuss this issue, please let me know.

[olivierjh]

From what I understand, you can't upgrade the version of runc or containerd underlying RKE2 without upgrading RKE2 itself. I'm very interested in the ETA on a patched version of RKE2 if one doesn't already exist, but I'm scanning the available versions as we speak.

[olivierjh]

Looks like there's an open RKE2 issue to patch the vulnerability: #5340

[markhillgit]

For Harvester the updates to rke2 1.26 and 1.27 containing these fixes will be incorporated into Harvester 1.2.2 and 1.3.0 asap.

[markhillgit]

People on 1.1.x will have to go to 1.2.1 and then 1.2.2 because we cannot make the leap from 1.24 directly, but Harvester 1.2.x is stable.

[megabreit]

I did. The answer was unexpected. But I think you guys need to discuss this internally :-)

[brandond]

The answer provided above? We don't do LTSS for Kubernetes releases, the policy has always been that you need to be on a supported minor to receive patches. That is not different just because the cluster in question is embedded in Harvester.

[megabreit]

I understand your policy. But maybe you can put yourself in my shoes for a moment: I have a support contract. And I have a vulnerability that needs to be fixed asap. In this case I don't want to get a finger pointing answer from one department of the same company to the other. Harvester is a "sort of" LTSS product, as long as RKE2 is involved, basically because of their slow release policy. So you (as in Suse) have created an LTSS product without being able to support it. This is the thing you (again Suse) need to sort out. Customers expect it.