Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Open Container Initiative runc

Summary

Multiple vulnerabilities in Open Container Initiative runc used by IBM InfoSphere Information Server were addressed.

Vulnerability Details

CVEID:CVE-2024-21626
**DESCRIPTION:**Open Container Initiative runc could allow a remote attacker to bypass security restrictions, caused by an internal file descriptor leak. By persuading a victim to use a specially crafted image, an attacker could exploit this vulnerability to perform container escape to access to the host filesystem.
CVSS Base score: 8.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281085 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID:CVE-2023-27561
**DESCRIPTION:**Open Container Initiative runc could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper access control in libcontainer/rootfs_linux.go. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges to run custom images.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/249173 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-28642
**DESCRIPTION:**runc could allow a remote attacker to bypass security restrictions, caused by a symbolic link following vulnerability. By creating a symbolic link inside a container to the /proc directory, an attacker could exploit this vulnerability to bypass AppArmor and SELinux protections.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251539 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

The runc binary can be updated on the microservices tier nodes by just replacing the binary file:

1. Download a fixed runc binary from the official releases page:
   For example, wget <https://github.com/opencontainers/runc/releases/download/v1.1.12/runc.amd64&gt; -O /tmp/runc
2. Replace the runc binary on the system:
   sudo mv /tmp/runc /usr/local/sbin/runc
3. Ensure that the runc binary has execute permissions:
   sudo chmod a+x /usr/local/sbin/runc
4. Confirm that the runc version has changed, by examining the output of the command:
   runc --version

After replacing the runc binary, perform the standard microservices tier node restart procedure:

1. Use stop_node.sh script to stop microservices tier services.
2. Reboot the node.
3. Use start_node.sh script to start microservices tier services.