Bug 1664908 (CVE-2019-5736)

Summary: CVE-2019-5736 runc: Execution of malicious containers allows for container escape and access to host filesystem
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, adimania, admiller, ahardin, amurdaca, aos-bugs, bbaude, bgilbert, bleanhar, bmontgom, ccoleman, cperry, crrobins, damichae, dbaker, dedgar, dornelas, dwalsh, eparis, gmollett, grocha, hasuzuki, ichavero, jburrell, jcajka, jchaloup, jgoulding, jligon, joedward, jokerman, jshepherd, karlthered, knakayam, lrock, lsm5, mchappel, mpatel, mzibrick, nalin, nstielau, pasik, pokorra.mailinglists, sagarun, santiago, security-response-team, sfowler, silas, skontar, sponnaga, sthangav, thomas.moschny, TicoTimo, trankin, tsweeney, vbatts
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: runc v1.0.0-rc7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:45:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1664954, 1664955, 1664956, 1665326, 1665327, 1667290, 1674488, 1674489, 1674490, 1674491, 1674492, 1674493, 1676714, 1676734, 1676798, 1677075, 1677076, 1677077, 1677078, 1701273    
Bug Blocks: 1664909, 1673431, 1673432, 1673433, 1673434, 1673435    
Attachments:
Description Flags
updates the vendored library needed for runc to access memfd_create
none
runc to use memfd_create none

Description Sam Fowler 2019-01-10 02:11:10 UTC 
runc has a vulnerability in the usage of system file descriptors that allows for container escape and access to the host filesystem. An attacker can exploit this by convincing users to run malicious or modified containers on their systems.
Comment 4 Daniel Walsh 2019-01-10 13:15:06 UTC 
Will write a nice blog on this when it goes public.
Comment 13 Vincent Batts 2019-01-11 13:56:32 UTC 
Created attachment 1520029 [details]
updates the vendored library needed for runc to access memfd_create
Comment 14 Vincent Batts 2019-01-11 13:57:06 UTC 
Created attachment 1520030 [details]
runc to use memfd_create
Comment 27 Jason Shepherd 2019-01-15 23:02:44 UTC 
Acknowledgments:

Name: the Open Containers Security Team
Upstream: Adam Iwaniuk, Borys Popławski
Comment 57 Sam Fowler 2019-02-11 13:22:47 UTC 
Created container-tools:2017.0/runc tracking bugs for this issue:

Affects: fedora-all [bug 1674489]


Created container-tools:2018.0/runc tracking bugs for this issue:

Affects: fedora-29 [bug 1674490]


Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1674491]


Created lxc tracking bugs for this issue:

Affects: epel-all [bug 1674493]
Affects: fedora-all [bug 1674492]


Created runc tracking bugs for this issue:

Affects: fedora-all [bug 1674488]
Comment 59 Sam Fowler 2019-02-11 13:25:08 UTC 
Upstream Patches:

runc:
https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b

lxc:
https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
Comment 61 errata-xmlrpc 2019-02-11 14:39:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:0303 https://access.redhat.com/errata/RHSA-2019:0303
Comment 62 errata-xmlrpc 2019-02-11 14:44:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:0304 https://access.redhat.com/errata/RHSA-2019:0304
Comment 65 Sam Fowler 2019-02-12 01:40:58 UTC 
Mitigation:

This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.
Comment 70 Sam Fowler 2019-02-13 09:33:17 UTC 
Created docker-latest tracking bugs for this issue:

Affects: fedora-all [bug 1676798]
Comment 71 Sam Fowler 2019-02-13 11:26:08 UTC 
External References:

https://access.redhat.com/security/vulnerabilities/runcescape
https://seclists.org/oss-sec/2019/q1/119
https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
Comment 75 Fedora Update System 2019-02-19 05:53:46 UTC 
moby-engine-18.06.0-2.ce.git0ffa825.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 76 Fedora Update System 2019-02-19 14:02:28 UTC 
moby-engine-18.06.0-2.ce.git0ffa825.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 77 errata-xmlrpc 2019-02-25 22:46:18 UTC 
This issue has been addressed in the following products:

  Container Development Kit 3.7

Via RHSA-2019:0401 https://access.redhat.com/errata/RHSA-2019:0401
Comment 78 errata-xmlrpc 2019-02-26 09:42:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.4
  Red Hat OpenShift Container Platform 3.5
  Red Hat OpenShift Container Platform 3.6
  Red Hat OpenShift Container Platform 3.7

Via RHSA-2019:0408 https://access.redhat.com/errata/RHSA-2019:0408
Comment 79 Sam Fowler 2019-02-27 03:04:02 UTC 
Statement:

The 'docker' package shipped in Red Hat Enterprise Linux 7 Extras bundles 'runc' since 'docker' starting from version 1.12. Both the 'docker' and 'runc' packages are affected by this issue.

The 'docker-latest' package is deprecated as of Red Hat Enterprise Linux 7.5. Customers using this package should update to the latest 'docker' package shipped in Red Hat Enterprise Linux 7 Extras.

OpenShift Container Platform (OCP) versions 3.9 and later use 'docker' version 1.13 in the default configuration but can be configured to use CRI-O as an alternative, which depends on the 'runc' package. OCP versions 3.9 and later should use the updated 'docker' and 'runc' packages shipped in Red Hat Enterprise Linux 7 Extras.

OCP versions 3.4 through 3.7 originally used 'docker' version 1.12 from the Red Hat Enterprise Linux 7 Extras channel. An updated version of 'docker' 1.12 has been delivered to the RPM channels for OCP versions 3.4 through 3.7.

OCP version 3.9 previously shipped a version of 'runc' in it's RPM repository. OCP 3.9 clusters using CRI-O should update 'runc' from the Red Hat Enterprise Linux 7 Extras channel.

Red Hat Enterprise Linux Atomic Host 7 is not affected by this vulnerability as the target runc binaries are stored on a read-only filesystem and cannot be overwritten.
Comment 80 errata-xmlrpc 2019-05-07 04:19:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:0975 https://access.redhat.com/errata/RHSA-2019:0975