.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Informational
Advisory: Leaky Vessels vulnerabilities in Docker and runc
CVE(S)
CVE-2024-21626
CVE-2024-23651
CVE-2024-23652
CVE-2024-23653
PRODUCT(S)
Cloud Optix
Sophos Endpoint
Sophos Central
Sophos Email
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos RED
Sophos Switch
Sophos UTM
Sophos Wireless
Sophos ZTNA
SophosLabs Intelix
Updated
2024 Feb 8
Article Version
3
First Published
2024 Feb 6
Publication ID
sophos-sa-20240206-leaky-vessels
Workaround
No
Overview
On Wednesday January 31, 2024, the Snyk Security Labs team published an advisory about high severity vulnerabilities in the runc command line utility and Docker components.
Docker and runc are common parts of hosted and cloud services infrastructure that can run specific workloads in isolated environments, also referred to as “containers”. The vulnerabilities could allow a crafted malicious container image to escape and gain code execution on the underlying host operating system. This is particularly impactful to scenarios in which containers are provided by an external and untrusted entity as it could enable privileged host-level access to the underlying docker host.
Due to the nature of this vulnerability, it is unlikely that any Sophos products will be impacted.
Patches for Docker and runc
According to the official Docker security advisory, the fixes are included in the following versions:
| Patched versions | |
| runc | >= 1.1.12 |
| BuildKit | >= 0.12.5 |
| Moby (Docker Engine) | >= 25.0.2 and >= 24.0.9 |
| Docker Desktop | >= 4.27.1 |
What Sophos products are affected?
The following products have been reviewed against the Leaky Vessels vulnerabilities.
| Product or Service | Status | Description |
|---|---|---|
| Cloud Optix | Not affected | Vulnerable code cannot be controlled by adversary |
| SG UTM (all versions) | Not affected | Component not present |
| Sophos Central | Not affected | Vulnerable code cannot be controlled by adversary |
| Sophos Endpoint protection (Windows) | Not affected | Component not present |
| Sophos Endpoint protection (macOS) | Not affected | Component not present |
| Sophos Endpoint protection (Linux) | Not affected | Component not present |
| Sophos Email | Not affected | Vulnerable code cannot be controlled by adversary |
| Sophos Firewall (all versions) | Not affected | Component not present |
| SophosConnect client | Not affected | Component not present |
| Sophos Home (macOS) | Not affected | Component not present |
| Sophos Mobile | Not affected | Vulnerable code cannot be controlled by adversary |
| Sophos Mobile EAS Proxy | Not affected | Component not present |
| Sophos Mobile Control app (iOS + Android) | Not affected | Component not present |
| Sophos Intercept X for Mobile app (iOS + Android) | Not affected | Component not present |
| Sophos Chrome Security | Not affected | Component not present |
| Sophos PhishThreat | Not affected | Vulnerable code cannot be controlled by adversary |
| Sophos RED | Not affected | Component not present |
| Sophos AP/APX | Not affected | Component not present |
| SophosLabs Intelix | Not affected | Vulnerable code cannot be controlled by adversary |
| Sophos Secure Access Service Edge (SASE) | Not affected | Component not present |
| Sophos SASI (AntiSpam) | Not affected | Component not present |
| SUSI | Not affected | Component not present |
| AV Engine (all platforms) | Not affected | Component not present |
Related Information
Sophos Responsible Disclosure Policy
To learn about Sophos security vulnerability disclosure policies and publications, see the Responsible Disclosure Policy.