An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization, by adding a symlink to the rootfs that points to a directory on the volume. Upstream Issue: https://github.com/opencontainers/runc/issues/2197
Created docker tracking bugs for this issue: Affects: fedora-all [bug 1796110] Affects: openstack-rdo [bug 1796112] Created runc tracking bugs for this issue: Affects: fedora-all [bug 1796109]
Upstream commit for this issue: https://github.com/opencontainers/runc/pull/2207/commits/3291d66b98445bd7f7d02eac7f2bca2ac2c56942
Jindrich can you get an update out for this?
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:0688 https://access.redhat.com/errata/RHSA-2020:0688
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19921
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2020:0695 https://access.redhat.com/errata/RHSA-2020:0695
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:0942 https://access.redhat.com/errata/RHSA-2020:0942
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:1485 https://access.redhat.com/errata/RHSA-2020:1485
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:1650 https://access.redhat.com/errata/RHSA-2020:1650