Publication Date: 2024/01/31 1:30 PM PST
CVE Identifier: CVE-2024-21626

AWS is aware of a recently disclosed security issue affecting the runc component of several open source container management systems (CVE-2024-21626). With the exception of the AWS services listed below, no customer action is required to address this issue.

Amazon Linux
An updated version of runc is available for Amazon Linux 1 (runc-1.1.11-1.0.amzn1), Amazon Linux 2 (runc-1.1.11-1.amzn2) and for Amazon Linux 2023 (runc-1.1.11-1.amzn2023). AWS recommends that customers using runc or other container-related software apply those updates or a newer version. Further information is available in the Amazon Linux Security Center.

Bottlerocket OS
An updated version of runc will be included in Bottlerocket 1.19.0, which will be released by February 2, 2024. AWS recommends that customers using Bottlerocket apply this update or a newer version. Further information will be posted in the Bottlerocket Security Advisories and the Bottlerocket Release Notes.

Amazon Elastic Container Service (ECS)
This CVE has been patched in runc, and an updated version of runc, version 1.1.11-1, is available as part of the latest Amazon ECS-optimized Amazon Machine Images (AMIs) released on January 31, 2024. 

We recommend that ECS customers update to these AMIs (or the latest available) or perform a "yum update —security" to obtain this patch. Please refer to the "Amazon ECS-optimized AMI" user guide for additional information.  

Amazon Elastic Kubernetes Services (EKS)
Amazon EKS has released updated EKS-optimized Amazon Machine Images (AMIs) version v20240129 with the patched container runtime. Customers using Managed node groups can upgrade their node groups by referring to the EKS documentation. Customers using Karpenter can update their nodes by following the documentation on drift or AMI selection. Customers using self-managing worker nodes can replace existing nodes by referring to the EKS documentation.

 Amazon EKS Fargate will have an update available for new pods on clusters by February 1, 2024, and will display a Kubelet version ending in eks-680e576. Customers can verify the version of their nodes by running kubectl get nodes. Customers should delete their existing pods to receive the patch after February 2, 2024. Please refer to the "Getting started with AWS Fargate using Amazon EKS" documentation for information on deleting and creating Fargate pods.

Amazon EKS Anywhere has released updated images version v0.18.6 with the patched container runtime. Customers can refer to the EKS Anywhere “Upgrade cluster” documentation on how to upgrade clusters to use patched VM images.

AWS Elastic Beanstalk
Updated AWS Elastic Beanstalk Docker- and ECS-based platform versions are available. Customers using Managed Platform Updates will be automatically updated to the latest platform version in their selected maintenance window with no action required. Customers can update immediately by going to the Managed Updates configuration page and clicking on the "Apply now" button. Customers who have not enabled Managed Platform Updates can update their environment's platform version by following the "Updating your Elastic Beanstalk environment's platform version" user guide.

An updated version of runc is available for Finch in the latest release, v1.1.0. Customers should upgrade their Finch installation on macOS to address this issue. Finch releases can be downloaded through the project's GitHub release page or by running "brew update" if you installed Finch via Homebrew.

AWS Deep Learning AMI
The affected runc package is a part of our Amazon Linux 2 Deep Learning AMI. This runc package is pulled from upstream Amazon Linux 2 releases. Deep Learning AMI will automatically consume the latest patched package once it becomes available from the Amazon Linux Team. Once released, affected customers will need to pull in the latest Deep Learning AMI to consume the latest runc updates to mitigate the issue.

AWS Batch
An updated Amazon ECS Optimized AMI as the default Compute Environment AMI is available. As a general security best practice, we recommend that Batch customers replace their existing Compute Environments with the latest AMI. Instructions for replacing the Compute Environment are available in the Batch product documentation.

Batch customers who do not use the default AMI should contact their operating system vendor for the updates necessary to address these issues. Instructions for Batch custom AMI are available in the Batch product documentation.

Amazon SageMaker
Any SageMaker resources, including SageMaker Notebook Instances, SageMaker Training Jobs, SageMaker Processing Jobs, SageMaker Batch Transform Jobs, SageMaker Studio and SageMaker Inference, created or restarted after February 2, 2024, will automatically use the patch. For SageMaker Inference, any live endpoints that were not recreated, will be automatically patched by February 7, 2024.

Security-related questions or concerns can be brought to our attention via