# How to Fix CVE-2024-21626 Vulnerability

On February 1, 2024, the runc community publicly announced a [security advisory for runc container escape](https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv), identified as **CVE-2024-21626** . The root cause of this vulnerability is due to an internal file descriptor leak in runc, allowing attackers to exploit the vulnerability and gain unauthorized access to the entire file system of the host where the container is located.

DCE 5.0 Installer has released version v0.15.2, which upgrades the **containerd** version to **1.7.13** and the runc version to **v1.1.12** . This means that clusters created in the DCE 5.0 environment based on version v0.15.2 are not affected by this vulnerability.

!!! note

    After upgrading to version v0.15.2, the supported cluster versions have been updated from v1.26.0 ~ v1.29.0 to v1.27.0 ~ v0.29.1.

## Solution

### Prerequisites

Confirm the scope of the cluster, which can be done in the following two ways:

- If the cluster version is v1.27.0 ~ v0.29.1, follow the [Upgrade DCE 5.0 Components](../upgrade.md) guide for upgrading. After a successful upgrade, refer to the steps below for [Updating Component Versions Configuration](#updating-component-version-configuration) and [Issuing Component Upgrade Tasks](#issuing-component-upgrade-tasks).
- Visit [kubean](https://github.com/kubean-io/kubean) to view the released [artifacts](https://kubean-io.github.io/kubean/zh/releases/artifacts/), and choose the specific artifact version based on the actual situation. The supported artifact versions and corresponding cluster version ranges are as follows:

    | Artifact Version | Supported Cluster Range | DCE 5.0 Support | Notes |
    | --- | --- | --- | --- |
    | release-2.21 | v1.23.0 ~ v1.25.6 | Installer v0.14.0+ | The community currently does not support the upgrade of the runc component in this artifact package. |
    | release-2.22 | v1.24.0 ~ v1.26.9 | Installer v0.15.0+ | Supports the latest runc, containerd |
    | release-2.23 | v1.25.0 ~ v1.27.7 | Expected Installer v0.16.0+ | Expected support in April |

    Therefore, only the release-2.22 artifact package currently supports **containerd, runc upgrades** . Hence, for cluster versions v1.24.0 ~ v1.26, follow all the steps below.

This article demonstrates the offline deployment of a K8s cluster version `v1.24.14`, upgrading the **containerd** version from **1.7.1** to **1.7.13** , and the **runc** version from **v1.1.7** to **v1.1.12** . Therefore, choose the `release-2.22` artifact.

### Steps

#### Creating and Importing runc/containerd Related Offline Packages

1. Define environment variables: minio address and username/password

    ```bash
    MINIO_USER="rootuser"
    MINIO_PASS="rootpass123"
    MINIO_ADDR="http://172.30.**.***:9000"
    ```

2. Define environment variable: airgap-patch image address

    ```bash
    AIRGAP_PATCH_IMG="ghcr.m.daocloud.io/kubean-io/airgap-patch:2.22-71b6fa1"
    ```

3. Only create component packages for x86 architecture

    ```bash
    cat > "manifest.yml" <<EOF
    image_arch:
      - "amd64" ## "arm64"
    containerd_version:
      - "1.7.13"
    runc_version:
      - "v1.1.12"
    EOF
    ```

4. Create offline package in an online environment

    ```groovy
    podman run -e ZONE=CN \
        -v "$(pwd)/data/":/data/ \
        -v "$(pwd)/manifest.yml":/manifest.yml \
        ${AIRGAP_PATCH_IMG}
    ```

5. Import binary package and offline images

    ```bash
    # Import binary package
    
    cd ./data/amd64/files/
    
    MINIO_USER="${MINIO_USER}" MINIO_PASS="${MINIO_PASS}" ./import_files.sh "${MINIO_ADDR}"
    
    ```

6. Deploy the `localartifactset.cr.yaml` custom resource to the **kubean-managed cluster or Global cluster** , in this example, a Global cluster is used.

    ```bash
    kubectl apply -f data/localartifactset.cr.yaml
    ```

#### Updating Component Version Configuration

1. Get the resource name of the cluster's hosts configmap

    ```bash
    kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.spec.varsConfRef}{'\n'}"
    {"name":"mini-1-vars-conf","namespace":"kubean-system"}
    ```

2. Edit the cluster configuration file named `mini-1-vars-conf` to add the required component version information for updating. Here, update containerd to `1.7.13` and runc to `v1.1.12`.

    ```bash
    $ kubectl -n kubean-system edit cm mini-1-vars-conf
     
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: mini-1-vars-conf
      namespace: kubean-system
    data:
      group_vars.yml: |-
        unsafe_show_logs: true
        container_manager: containerd
        kube_version: v1.24.14        # Keep kube version same as current cluster version, add if not present
        containerd_version: 1.7.13    # Update containerd from original 1.7.1 to 1.7.13
        runc_version: v1.1.12         # Update runc from original v1.1.7 to v1.1.12
        kube_network_plugin: calico
        kube_network_plugin_multus: false
        kube_proxy_mode: iptables
        etcd_deployment_type: kubeadm
        override_system_hostname: true
        ntp_enabled: true
        ...
    ```

#### Issuing Component Upgrade Tasks

1. Get the name of the cluster

    ```bash
    # For example, if the resource name of clusters.kubean.io is cluster-mini-1
    # Get the cluster name
    CLUSTER_NAME=$(kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.metadata.name}{'\n'}")
    ```

2. Get the resource name of the cluster configuration parameters configmap

    ```bash
    kubectl get clusters.kubean.io cluster-mini-1 -o=jsonpath="{.spec.hostsConfRef}{'\n'}"
    {"name":"mini-1-hosts-conf","namespace":"kubean-system"}
    ```

3. Upload the spray-job image to the offline image repository

    ```bash
    REGISTRY_ADDR="10.5.14.100"
       
    # Use accelerator address for the spray-job image
    SPRAY_IMG_ADDR="ghcr.io/kubean-io/spray-job:2.22-71b6fa1"
       
    # Skopeo parameters
    SKOPEO_PARAMS=" --insecure-policy -a --dest-tls-verify=false --retry-times=3 "
     
    skopeo copy ${SKOPEO_PARAMS} docker-archive:spray-job.tar docker://${REGISTRY_ADDR}/${SPRAY_IMG_ADDR}
    ```

4. Create the corresponding upgrade task

    ```bash
    SPRAY_IMG_ADDR="10.5.14.100/ghcr.io/kubean-io/spray-job"
    SPRAY_TAG="2.22-71b6fa1"
    CLUSTER_NAME="fu-113-42-old"
      
    cat << EOF | kubectl apply -f -
    ---
    apiVersion: kubean.io/v1alpha1
    kind: ClusterOperation
    metadata:
      name: cluster-mini-1-upgrades
    spec:
      cluster: ${CLUSTER_NAME}
      image: ${SPRAY_IMG_ADDR}:${SPRAY_TAG}
      actionType: playbook
      action: upgrade-cluster.yml
      postHook:
        - actionType: playbook
          action: cluster-info.yml
    EOF
    ```

5. Check the component upgrade results

    ```bash
    # runc version
    runc --version
    
    # containerd version
    containerd --version
    ```