VMware has fixes ready to go to handle mishandled file descriptor vulnerability in runc container runtime.
Products affected by the vulnerability, which the company labeled important, include: VMware Integrated OpenStack with Kubernetes (VIO-K); VMware PKS (PKS); VMware vCloud Director Container Service Extension (CSE), and vSphere Integrated Containers (VIC).
Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host’s runc binary and execute arbitrary code.
Exploitation of this vulnerability requires the attacker to have existing permission to deploy containers or run docker exec. Alternatively, an attacker could trick a user with these permissions into deploying a malicious container or running docker exec for them.
VMware PKS 1.3.2
VMware vCloud Director Container Service Extension 1.2.7