runc has a vulnerability in the usage of system file descriptors that allows for container escape and access to the host filesystem. An attacker can exploit this by convincing users to run malicious or modified containers on their systems.
Will write a nice blog on this when it goes public.
Created attachment 1520029 [details] updates the vendored library needed for runc to access memfd_create
Created attachment 1520030 [details] runc to use memfd_create
Acknowledgments: Name: the Open Containers Security Team Upstream: Adam Iwaniuk, Borys Popławski
Created container-tools:2017.0/runc tracking bugs for this issue: Affects: fedora-all [bug 1674489] Created container-tools:2018.0/runc tracking bugs for this issue: Affects: fedora-29 [bug 1674490] Created docker tracking bugs for this issue: Affects: fedora-all [bug 1674491] Created lxc tracking bugs for this issue: Affects: epel-all [bug 1674493] Affects: fedora-all [bug 1674492] Created runc tracking bugs for this issue: Affects: fedora-all [bug 1674488]
Upstream Patches: runc: https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b lxc: https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2019:0303 https://access.redhat.com/errata/RHSA-2019:0303
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2019:0304 https://access.redhat.com/errata/RHSA-2019:0304
Mitigation: This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.
Created docker-latest tracking bugs for this issue: Affects: fedora-all [bug 1676798]
External References: https://access.redhat.com/security/vulnerabilities/runcescape https://seclists.org/oss-sec/2019/q1/119 https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
moby-engine-18.06.0-2.ce.git0ffa825.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
moby-engine-18.06.0-2.ce.git0ffa825.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Container Development Kit 3.7 Via RHSA-2019:0401 https://access.redhat.com/errata/RHSA-2019:0401
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.4 Red Hat OpenShift Container Platform 3.5 Red Hat OpenShift Container Platform 3.6 Red Hat OpenShift Container Platform 3.7 Via RHSA-2019:0408 https://access.redhat.com/errata/RHSA-2019:0408
Statement: The 'docker' package shipped in Red Hat Enterprise Linux 7 Extras bundles 'runc' since 'docker' starting from version 1.12. Both the 'docker' and 'runc' packages are affected by this issue. The 'docker-latest' package is deprecated as of Red Hat Enterprise Linux 7.5. Customers using this package should update to the latest 'docker' package shipped in Red Hat Enterprise Linux 7 Extras. OpenShift Container Platform (OCP) versions 3.9 and later use 'docker' version 1.13 in the default configuration but can be configured to use CRI-O as an alternative, which depends on the 'runc' package. OCP versions 3.9 and later should use the updated 'docker' and 'runc' packages shipped in Red Hat Enterprise Linux 7 Extras. OCP versions 3.4 through 3.7 originally used 'docker' version 1.12 from the Red Hat Enterprise Linux 7 Extras channel. An updated version of 'docker' 1.12 has been delivered to the RPM channels for OCP versions 3.4 through 3.7. OCP version 3.9 previously shipped a version of 'runc' in it's RPM repository. OCP 3.9 clusters using CRI-O should update 'runc' from the Red Hat Enterprise Linux 7 Extras channel. Red Hat Enterprise Linux Atomic Host 7 is not affected by this vulnerability as the target runc binaries are stored on a read-only filesystem and cannot be overwritten.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:0975 https://access.redhat.com/errata/RHSA-2019:0975