Ubuntu CVE-2024-21626 runc vulnerability

Hi Piotr,
the CVE page [1] indicates that this was already serviced to all active Ubuntu releases and via pro even to Bionic, Xenial is still being triaged AFAICS.

I'm sure Noble will be updated as well before it is released in a few months.

The publishing time for all of them [2] looks like 02:14 CET last night.
Thereby any new daily image build later than that should includes these fixed versions.
You can compare what you get with the versions as listed in [1] to check if you already got a new one.

[1]: https://ubuntu.com/security/CVE-2024-21626
[2]: https://launchpad.net/ubuntu/+source/runc/+publishinghistory

Thank you Christian for fast replay.

We are waiting for new images for EKS.
I'm checking availability with this command:

aws ec2 describe-images --executable-users all --filters "Name=name,Values=ubuntu-eks/k8s_1.27/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-2024*" --query 'Images[*].{ami:ImageId,date:CreationDate}' --output table

And waiting for new images.

We are waiting for this image as well. Is it the image with serial serial 20240201? Looks like one does show up on aws now, but nothing here https://cloud-images.ubuntu.com/docs/aws/eks/

> We are waiting for this image as well. Is it the image with serial serial 20240201?

yes. that's the serial which will fix the CVE for EKS images.

> Looks like one does show up on aws now

yes. CI is running against the different EKS versions.

> but nothing here https://cloud-images.ubuntu.com/docs/aws/eks/

The update of that website usually takes some time. sorry for that. we try to improve that for the future.

Thanks Thomas for your response.

We can now see the AMI with serial 20240201 for EKS 1.28 and 1.27, still waiting for AMI to be made available for EKS 1.25/1.26

Would we have similar serial for Ubuntu 22 for EKS 1.29

Hi Varun, Lorelei, Piotr,

New images for all EKS versions (1.23 - 1.29) with serial 20240201 are available now. Those do contain the required runc version to fix the CVE.
Please let us know if you run into any problems.

Hi Thomas,
I do not see this new images (with serial 20240201) listed on the Ubuntu on Amazon (EKS) web page here:
https://cloud-images.ubuntu.com/aws-eks/

My current time now is: Fri Feb 2 10:40:46 EST 2024

I was able to find the AMI Ids on AWS using the following filters:

AMI name = ubuntu-eks/k8s_1.28/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20240201
AMI name = ubuntu-eks/k8s_1.25/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20240201
Owner alias = amazon

Hi Tenzin,
as I said, this web page isn't updated very fast.

The best way to get the latest Jammy based image is:

aws ssm get-parameters --names /aws/service/canonical/ubuntu/eks/22.04/1.29/stable/current/amd64/hvm/ebs-gp2/ami-id

For Focal based images, it's

aws ssm get-parameters --names /aws/service/canonical/ubuntu/eks/20.04/1.28/stable/current/amd64/hvm/ebs-gp2/ami-id

See https://canonical-aws.readthedocs-hosted.com/en/latest/aws-how-to/instances/find-ubuntu-images/ .

Ah sorry, in haste, I jumped down to the latest post. Thank you on getting this update out so quickly!

Hi Thomas,

I launched an EKS 1.25 cluster with the new image-id below.

# aws ssm get-parameters --names /aws/service/canonical/ubuntu/eks/20.04/1.25/stable/current/amd64/hvm/ebs-gp2/ami-id
{
    "Parameters": [
        {
            "Name": "/aws/service/canonical/ubuntu/eks/20.04/1.25/stable/current/amd64/hvm/ebs-gp2/ami-id",
            "Type": "String",
            "Value": "ami-07455039b269b8ee6",
            "Version": 43,
            "LastModifiedDate": "2024-02-01T11:13:48.371000-05:00",
            "ARN": "arn:aws:ssm:us-east-1::parameter/aws/service/canonical/ubuntu/eks/20.04/1.25/stable/current/amd64/hvm/ebs-gp2/ami-id",
            "DataType": "aws:ec2:image"
        }
    ],
    "InvalidParameters": []
}

When I examined the runc version inside, it has an old runc version.

root@ip-10-0-89-179:~# curl http://169.254.169.254/latest/meta-data/ami-id; echo
ami-07455039b269b8ee6

root@ip-10-0-89-179:~# runc --version
runc version 1.1.7-0ubuntu1~20.04.2
spec: 1.0.2-dev
go: go1.18.1
libseccomp: 2.5.1

I'm expecting the runc version to be version 1.1.12 or something different. Is this correct expectation?

--

I checked an old EKS worker node prior to 20240201, and see the same runc version output. See older Ubuntu EKS image-id used and its runc version output.

oot@ip-10-165-249-102:~# curl http://169.254.169.254/latest/meta-data/ami-id; echo
ami-0719e89b34449c149

root@ip-10-165-249-102:~# runc --version
runc version 1.1.7-0ubuntu1~20.04.2
spec: 1.0.2-dev
go: go1.18.1
libseccomp: 2.5.1

I see what happened with the older EKS worker node, it was the unattended upgrades process which brought up the version.

./unattended-upgrades-dpkg.log-Log started: 2024-02-01 06:35:49
./unattended-upgrades-dpkg.log-debconf: delaying package configuration, since apt-utils is not installed
./unattended-upgrades-dpkg.log-debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 76247 files and directories currently installed.)
./unattended-upgrades-dpkg.log:Preparing to unpack .../runc_1.1.7-0ubuntu1~20.04.2_amd64.deb ...
./unattended-upgrades-dpkg.log:Unpacking runc (1.1.7-0ubuntu1~20.04.2) over (1.1.7-0ubuntu1~20.04.1) ...
./unattended-upgrades-dpkg.log:Setting up runc (1.1.7-0ubuntu1~20.04.2) ...
./unattended-upgrades-dpkg.log-Log ended: 2024-02-01 06:35:51

As for the runc version, the latest AMI (with serial 20240201) does have the correct version (1.1.7-0ubuntu1~20.04.2).

See details on the patched runc version here for CVE-2024-21626:
https://ubuntu.com/security/notices/USN-6619-1
https://launchpad.net/ubuntu/+source/runc/1.1.7-0ubuntu1~20.04.2

The src:runc was updated to version 1.1.12 but it provides just the library code. The application is provided by src:runc-app. I am going to update it to version 1.1.12 in Noble.

This bug was fixed in the package runc-app - 1.1.12-0ubuntu1

---------------
runc-app (1.1.12-0ubuntu1) noble; urgency=medium

  * New upstream release (LP: #2051918).

 -- Lucas Kanashiro <email address hidden> Mon, 19 Feb 2024 18:31:43 -0300