We recently became aware of four CVEs related to runc and Buildkit [more on Docker’s blog here: Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby | Docker.
For cloud customers:
As of February 1, 2024 at 15:00 UTC we have fully addressed these CVEs on our cloud service, and no further action is needed for cloud customers at this time.
For server customers:
If you are using CircleCI’s Terraform to create Nomad client clusters, you should upgrade to the latest version, 4.4.1 [Release 4.4.1 Release · CircleCI-Public/server-terraform · GitHub]. You can apply this change to any CircleCI server version of 4.0 and above. If your team is using your own Terraform to create Nomad clients, please reach out to your internal infrastructure team about updating the Docker engine in those clients.For questions, please reach out to security@circleci.com