On Saturday, RedHat posted a new entry in the Common Vulnerabilities and Exposures Database, with the impact level important. The vulnerability could enable a malicious container to be executed, eventually resulting in easy access to the host filesystem.
It defines the weakness as:
"A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system."
The full details can be found here.
The recommendation is to patch RunC ASAP, if you haven't already.
This was shared to me this morning, and came as a bit of a surprise. Does this affect you, or your organisation?
Edit: It has been pointed out to me that the initial publication of this CVE was in February! Thanks @ohffs for that. Hope this blog still stands as a useful resource, and a reminder of the importance of keeping patches up-to-date!
(open source and trusted by devs everywhere ❤️)