Azure Linux 3.0 Security Update: kata-containers / kata-containers-cc / rpm-ostree (CVE-2024-27308)

high Nessus Plugin ID 244820

Synopsis

The remote Azure Linux host is missing one or more security updates.

Description

The version of kata-containers / kata-containers-cc / rpm-ostree installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-27308 advisory.

- Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens May be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability May result in a use-after-free. For users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio. The vulnerability is Windows- specific, and can only happen if you are using named pipes. Other IO resources are not affected. This vulnerability has been fixed in mio v0.8.11. All versions of mio between v0.7.2 and v0.8.10 are vulnerable. Tokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable.
Vulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.
(CVE-2024-27308)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://nvd.nist.gov/vuln/detail/CVE-2024-27308

Plugin Details

Severity: High

ID: 244820

File Name: azure_linux_CVE-2024-27308.nasl

Version: 1.1

Type: local

Published: 8/7/2025

Updated: 8/7/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2024-27308

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:microsoft:azure_linux:kata-containers, p-cpe:/a:microsoft:azure_linux:kata-containers-cc, p-cpe:/a:microsoft:azure_linux:rpm-ostree-devel, x-cpe:/o:microsoft:azure_linux, p-cpe:/a:microsoft:azure_linux:rpm-ostree, p-cpe:/a:microsoft:azure_linux:kata-containers-tools, p-cpe:/a:microsoft:azure_linux:kata-containers-cc-tools

Required KB Items: Host/local_checks_enabled, Host/AzureLinux/release, Host/AzureLinux/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 8/6/2025

Vulnerability Publication Date: 3/4/2024

Reference Information

CVE: CVE-2024-27308