Docker Desktop runc Buildkit and Moby vulnerabilities patch now
Recently, security experts at Snyk Labs discovered four critical vulnerabilities within the container ecosystem. These include a flaw in the runc container runtime, identified as CVE-2024-21626, and three others impacting BuildKit, labeled CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653. Docker notes that its team, in coordination with the reporting researchers and open-source maintainers, has been working on addressing and resolving the vulnerabilities.
According to their statement, Docker plans to release updated versions of runc, BuildKit, and Moby on January 31, and an update for Docker Desktop on February 1 to mitigate these vulnerabilities. Furthermore, Docker's most recent releases of Moby and BuildKit will include fixes for two additional vulnerabilities, CVE-2024-23650 and CVE-2024-24557, discovered by an independent researcher and Docker's internal research team, respectively.
The affected versions are as follows:
- runc: versions up to and including 1.1.11
- BuildKit: versions up to and including 0.12.4
- Moby (Docker Engine): versions up to and including v25.0.1 and v24.0.8
- Docker Desktop: versions up to and including 4.27.0
These vulnerabilities pose a significant risk, as they can be exploited if users interact with malicious content, either by incorporating it into their build process or by running containers from untrusted images. This is particularly concerning for the CVE-2024-21626 container escape vulnerability. Potential impacts include unauthorized access to the host filesystem, compromised build cache integrity, and full container escape scenarios.
Docker strongly advises all users to prioritize their security by applying the forthcoming updates promptly. Timely installation of these updates is crucial for protecting systems against these vulnerabilities and maintaining a secure Docker environment.
For users operating on affected versions of runc, BuildKit, Moby, or Docker Desktop, it's recommended to upgrade to the latest patched versions as soon as they are available:
- runc: version 1.1.12 or later
- BuildKit: version 0.12.5 or later
- Moby (Docker Engine): version 25.0.2 or later, and version 24.0.9 or later
- Docker Desktop: version 4.27.1 or later