Bug 1664908 (CVE-2019-5736) - CVE-2019-5736 runc: Execution of malicious containers allows for container escape and access to host filesystem
Summary: CVE-2019-5736 runc: Execution of malicious containers allows for container es...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-5736
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1674493 1664954 1664955 1664956 1665326 1665327 1667290 1674488 1674489 1674490 1674491 1674492 1676714 1676734 1676798 1677075 1677076 1677077 1677078 1701273
Blocks: 1664909 1673431 1673432 1673433 1673434 1673435
TreeView+ depends on / blocked
 
Reported: 2019-01-10 02:11 UTC by Sam Fowler
Modified: 2022-03-13 16:42 UTC (History)
55 users (show)

Fixed In Version: runc v1.0.0-rc7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:45:06 UTC
Embargoed:

Attachments (Terms of Use)
updates the vendored library needed for runc to access memfd_create (4.39 MB, patch)
2019-01-11 13:56 UTC, Vincent Batts 		no flags Details | Diff
runc to use memfd_create (3.44 KB, patch)
2019-01-11 13:57 UTC, Vincent Batts 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0303 0 None None None 2019-02-11 14:39:26 UTC
Red Hat Product Errata RHSA-2019:0304 0 None None None 2019-02-11 14:44:46 UTC
Red Hat Product Errata RHSA-2019:0401 0 None None None 2019-02-25 22:46:20 UTC
Red Hat Product Errata RHSA-2019:0408 0 None None None 2019-02-26 09:42:53 UTC
Red Hat Product Errata RHSA-2019:0975 0 None None None 2019-05-07 04:19:18 UTC

Description Sam Fowler 2019-01-10 02:11:10 UTC 
runc has a vulnerability in the usage of system file descriptors that allows for container escape and access to the host filesystem. An attacker can exploit this by convincing users to run malicious or modified containers on their systems.
Comment 4 Daniel Walsh 2019-01-10 13:15:06 UTC 
Will write a nice blog on this when it goes public.
Comment 13 Vincent Batts 2019-01-11 13:56:32 UTC 
Created attachment 1520029 [details]
updates the vendored library needed for runc to access memfd_create
Comment 14 Vincent Batts 2019-01-11 13:57:06 UTC 
Created attachment 1520030 [details]
runc to use memfd_create
Comment 27 Jason Shepherd 2019-01-15 23:02:44 UTC 
Acknowledgments:

Name: the Open Containers Security Team
Upstream: Adam Iwaniuk, Borys Popławski
Comment 57 Sam Fowler 2019-02-11 13:22:47 UTC 
Created container-tools:2017.0/runc tracking bugs for this issue:

Affects: fedora-all [bug 1674489]


Created container-tools:2018.0/runc tracking bugs for this issue:

Affects: fedora-29 [bug 1674490]


Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1674491]


Created lxc tracking bugs for this issue:

Affects: epel-all [bug 1674493]
Affects: fedora-all [bug 1674492]


Created runc tracking bugs for this issue:

Affects: fedora-all [bug 1674488]
Comment 59 Sam Fowler 2019-02-11 13:25:08 UTC 
Upstream Patches:

runc:
https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b

lxc:
https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
Comment 61 errata-xmlrpc 2019-02-11 14:39:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:0303 https://access.redhat.com/errata/RHSA-2019:0303
Comment 62 errata-xmlrpc 2019-02-11 14:44:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:0304 https://access.redhat.com/errata/RHSA-2019:0304
Comment 65 Sam Fowler 2019-02-12 01:40:58 UTC 
Mitigation:

This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.
Comment 70 Sam Fowler 2019-02-13 09:33:17 UTC 
Created docker-latest tracking bugs for this issue:

Affects: fedora-all [bug 1676798]
Comment 71 Sam Fowler 2019-02-13 11:26:08 UTC 
External References:

https://access.redhat.com/security/vulnerabilities/runcescape
https://seclists.org/oss-sec/2019/q1/119
https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
Comment 75 Fedora Update System 2019-02-19 05:53:46 UTC 
moby-engine-18.06.0-2.ce.git0ffa825.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 76 Fedora Update System 2019-02-19 14:02:28 UTC 
moby-engine-18.06.0-2.ce.git0ffa825.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
Comment 77 errata-xmlrpc 2019-02-25 22:46:18 UTC 
This issue has been addressed in the following products:

  Container Development Kit 3.7

Via RHSA-2019:0401 https://access.redhat.com/errata/RHSA-2019:0401
Comment 78 errata-xmlrpc 2019-02-26 09:42:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.4
  Red Hat OpenShift Container Platform 3.5
  Red Hat OpenShift Container Platform 3.6
  Red Hat OpenShift Container Platform 3.7

Via RHSA-2019:0408 https://access.redhat.com/errata/RHSA-2019:0408
Comment 79 Sam Fowler 2019-02-27 03:04:02 UTC 
Statement:

The 'docker' package shipped in Red Hat Enterprise Linux 7 Extras bundles 'runc' since 'docker' starting from version 1.12. Both the 'docker' and 'runc' packages are affected by this issue.

The 'docker-latest' package is deprecated as of Red Hat Enterprise Linux 7.5. Customers using this package should update to the latest 'docker' package shipped in Red Hat Enterprise Linux 7 Extras.

OpenShift Container Platform (OCP) versions 3.9 and later use 'docker' version 1.13 in the default configuration but can be configured to use CRI-O as an alternative, which depends on the 'runc' package. OCP versions 3.9 and later should use the updated 'docker' and 'runc' packages shipped in Red Hat Enterprise Linux 7 Extras.

OCP versions 3.4 through 3.7 originally used 'docker' version 1.12 from the Red Hat Enterprise Linux 7 Extras channel. An updated version of 'docker' 1.12 has been delivered to the RPM channels for OCP versions 3.4 through 3.7.

OCP version 3.9 previously shipped a version of 'runc' in it's RPM repository. OCP 3.9 clusters using CRI-O should update 'runc' from the Red Hat Enterprise Linux 7 Extras channel.

Red Hat Enterprise Linux Atomic Host 7 is not affected by this vulnerability as the target runc binaries are stored on a read-only filesystem and cannot be overwritten.
Comment 80 errata-xmlrpc 2019-05-07 04:19:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:0975 https://access.redhat.com/errata/RHSA-2019:0975
Note You need to log in before you can comment on or make changes to this bug.