Bug 1757214 (CVE-2019-16884)
| Summary: | CVE-2019-16884 runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adimania, admiller, amurdaca, aos-bugs, bbaude, bmontgom, dbecker, dedgar, dominik.mierzejewski, dwalsh, eparis, frantisek.kluknavsky, gscrivan, hartsjc, ichavero, jburrell, jcajka, jchaloup, jjoyce, jnovy, jokerman, jschluet, kbasil, lhh, lpeer, lsm5, mburns, mpatel, nalin, nstielau, o.lemasle, santiago, sclewis, slinaber, sponnaga, TicoTimo, vbatts |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-21 13:04:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1757290, 1759650, 1759651, 1760088, 1760989, 1760990, 1764182, 1765465, 1765467, 1765468, 1810703 | ||
| Bug Blocks: | 1757218 | ||
|
Description
Guilherme de Almeida Suckevicz
2019-09-30 20:36:53 UTC
Created runc tracking bugs for this issue: Affects: fedora-all [bug 1757290] According to the upstream bug report, this also affects SELinux labels: - https://github.com/opencontainers/runc/issues/2128#issuecomment-535478352 Yes this is an SELinux issue as well as an AppArmor problem. Created docker tracking bugs for this issue: Affects: fedora-all [bug 1760989] Affects: openstack-rdo [bug 1760990] Statement: The AppArmor security module is not supported by Red Hat, on the other hand the flaw also affects SELinux based distributions like Red Hat Enterprise Linux. When creating a new container runc doesn't proper validate whether a non-procfs filesystem is being mounted on top of /proc mount point. As runc relies on attr entries to read or set SELinux labels and attacker may leverage this weakness by creating a crafted container image, with malicious values set on security attributes entry for processes, and mounted on top of container's /proc. This flaw may allow containers to run with more privileged SELinux labels than the default, allowing tasks confined inside the container instance to eventually execute non expected actions. The security impact for this issue is considered Medium for Red Hat Enterprise Linux, as with SELinux the task still runs confined under a less privileged label than unconfined_t. WIP backports here: https://github.com/projectatomic/runc/pull/28 Upstream Fix: https://github.com/opencontainers/runc/pull/2129 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:3940 https://access.redhat.com/errata/RHSA-2019:3940 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-16884 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2019:4074 https://access.redhat.com/errata/RHSA-2019:4074 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:4269 https://access.redhat.com/errata/RHSA-2019:4269 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:1234 https://access.redhat.com/errata/RHSA-2020:1234 This CVE was fixed in runc Red Hat Enterprise Linux 7.8 - Extra Packages via RHSA-2020:1232 https://access.redhat.com/errata/RHBA-2020:1232 |