Bug 1757214 (CVE-2019-16884) - CVE-2019-16884 runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc
Summary: CVE-2019-16884 runc: AppArmor/SELinux bypass with malicious image that specif...
Alias: CVE-2019-16884
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1757290 1759650 1759651 1760088 1760989 1760990 1764182 1765465 1765467 1765468 1810703
Blocks: 1757218
TreeView+ depends on / blocked
Reported: 2019-09-30 20:36 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 21:20 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-21 13:04:53 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3940 0 None None None 2019-11-21 09:50:31 UTC
Red Hat Product Errata RHSA-2019:4074 0 None None None 2019-12-03 21:05:49 UTC
Red Hat Product Errata RHSA-2019:4269 0 None None None 2019-12-17 10:47:37 UTC
Red Hat Product Errata RHSA-2020:1234 0 None None None 2020-04-01 00:26:26 UTC

Description Guilherme de Almeida Suckevicz 2019-09-30 20:36:53 UTC
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.


Comment 1 Dhananjay Arunesh 2019-10-01 05:37:28 UTC
Created runc tracking bugs for this issue:

Affects: fedora-all [bug 1757290]

Comment 2 Dave Baker 2019-10-01 12:27:47 UTC
According to the upstream bug report, this also affects SELinux labels:
- https://github.com/opencontainers/runc/issues/2128#issuecomment-535478352

Comment 3 Daniel Walsh 2019-10-01 12:58:29 UTC
Yes this is an SELinux issue as well as an AppArmor problem.

Comment 14 Marco Benatto 2019-10-11 21:17:48 UTC
Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1760989]
Affects: openstack-rdo [bug 1760990]

Comment 15 Marco Benatto 2019-10-11 21:24:03 UTC

The AppArmor security module is not supported by Red Hat, on the other hand the flaw also affects SELinux based distributions like Red Hat Enterprise Linux.

Comment 16 Marco Benatto 2019-10-11 21:30:36 UTC
When creating a new container runc doesn't proper validate whether a non-procfs filesystem is being mounted on top of /proc mount point. As runc relies on attr entries to read or set SELinux labels and attacker may leverage this weakness by creating a crafted container image, with malicious values set on security attributes entry for processes, and mounted on top of container's /proc. This flaw may allow containers to run with more privileged SELinux labels than the default, allowing tasks confined inside the container instance to eventually execute non expected actions.
The security impact for this issue is considered Medium for Red Hat Enterprise Linux, as with SELinux the task still runs confined under a less privileged label than unconfined_t.

Comment 17 Giuseppe Scrivano 2019-10-14 13:44:56 UTC
WIP backports here: https://github.com/projectatomic/runc/pull/28

Comment 18 Sam Fowler 2019-10-25 07:30:17 UTC
Upstream Fix:


Comment 20 errata-xmlrpc 2019-11-21 09:50:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:3940 https://access.redhat.com/errata/RHSA-2019:3940

Comment 21 Product Security DevOps Team 2019-11-21 13:04:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 22 errata-xmlrpc 2019-12-03 21:05:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2019:4074 https://access.redhat.com/errata/RHSA-2019:4074

Comment 23 errata-xmlrpc 2019-12-17 10:47:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:4269 https://access.redhat.com/errata/RHSA-2019:4269

Comment 28 errata-xmlrpc 2020-04-01 00:26:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:1234 https://access.redhat.com/errata/RHSA-2020:1234

Comment 29 Marco Benatto 2020-04-09 18:03:51 UTC
This CVE was fixed in runc Red Hat Enterprise Linux 7.8 - Extra Packages via RHSA-2020:1232 https://access.redhat.com/errata/RHBA-2020:1232

Note You need to log in before you can comment on or make changes to this bug.