Response to Leaky Vessels: Docker and runc container breakout vulnerabilities
Incident Report for Aptible
Resolved
We have proactively addressed a recent security vulnerability identified as "Leaky Vessels," a container breakout issue affecting runc versions up to 1.1.11. This vulnerability had the potential to allow unauthorized access to the host OS from containers.

Our team has promptly updated our systems, including all instances of runc to the secure version, to ensure the highest level of security for our platform and your services. This update mitigates the risks associated with this vulnerability.

The following CVEs have been addressed on our platform:

- CVE-2024-21626: runc process.cwd & leaked fds container breakout
- CVE-2024-23651: Buildkit Mount Cache Race
- CVE-2024-23653: Buildkit GRPC SecurityMode Privilege Check
- CVE-2024-23652: Buildkit Build-time Container Teardown Arbitrary Delete

We assure you that our swift actions have kept our systems, and consequently your services, secure and unaffected by this vulnerability. We remain committed to maintaining the highest security standards and will continue to monitor and update our systems to safeguard your data and services.

For more detailed information about this topic, you can refer to the Snyk blog post: https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/
Posted Jan 31, 2024 - 19:03 EST