Bug 1664908 (CVE-2019-5736) - CVE-2019-5736 runc: Execution of malicious containers allows for container escape and access to host filesystem
Summary: CVE-2019-5736 runc: Execution of malicious containers allows for container es...
Status: NEW
Alias: CVE-2019-5736
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190211:1322...
Keywords: Security
Depends On: 1674061 1674489 1674490 1674492 1674493 1676714 1676734 1677075 1677076 1677077 1677078 1664954 1664955 1664956 1665326 1665327 1667290 1674488 1674491 1676798
Blocks: 1664909 1673431 1673432 1673433 1673434 1673435
TreeView+ depends on / blocked
 
Reported: 2019-01-10 02:11 UTC by Sam Fowler
Modified: 2019-02-21 15:34 UTC (History)
50 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
updates the vendored library needed for runc to access memfd_create (4.39 MB, patch)
2019-01-11 13:56 UTC, Vincent Batts
no flags Details | Diff
runc to use memfd_create (3.44 KB, patch)
2019-01-11 13:57 UTC, Vincent Batts
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0303 None None None 2019-02-11 14:39 UTC
Red Hat Product Errata RHSA-2019:0304 None None None 2019-02-11 14:44 UTC

Description Sam Fowler 2019-01-10 02:11:10 UTC
runc has a vulnerability in the usage of system file descriptors that allows for container escape and access to the host filesystem. An attacker can exploit this by convincing users to run malicious or modified containers on their systems.

Comment 4 Daniel Walsh 2019-01-10 13:15:06 UTC
Will write a nice blog on this when it goes public.

Comment 13 Vincent Batts 2019-01-11 13:56 UTC
Created attachment 1520029 [details]
updates the vendored library needed for runc to access memfd_create

Comment 14 Vincent Batts 2019-01-11 13:57 UTC
Created attachment 1520030 [details]
runc to use memfd_create

Comment 27 Jason Shepherd 2019-01-15 23:02:44 UTC
Acknowledgments:

Name: the Open Containers Security Team
Upstream: Adam Iwaniuk, Borys Popławski

Comment 57 Sam Fowler 2019-02-11 13:22:47 UTC
Created container-tools:2017.0/runc tracking bugs for this issue:

Affects: fedora-all [bug 1674489]


Created container-tools:2018.0/runc tracking bugs for this issue:

Affects: fedora-29 [bug 1674490]


Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1674491]


Created lxc tracking bugs for this issue:

Affects: epel-all [bug 1674493]
Affects: fedora-all [bug 1674492]


Created runc tracking bugs for this issue:

Affects: fedora-all [bug 1674488]

Comment 61 errata-xmlrpc 2019-02-11 14:39:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:0303 https://access.redhat.com/errata/RHSA-2019:0303

Comment 62 errata-xmlrpc 2019-02-11 14:44:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:0304 https://access.redhat.com/errata/RHSA-2019:0304

Comment 65 Sam Fowler 2019-02-12 01:40:58 UTC
Mitigation:

This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.

Comment 70 Sam Fowler 2019-02-13 09:33:17 UTC
Created docker-latest tracking bugs for this issue:

Affects: fedora-all [bug 1676798]

Comment 74 Sam Fowler 2019-02-14 01:00:45 UTC
Statement:

The 'docker' package shipped in Red Hat Enterprise Linux 7 Extras bundles 'runc' since 'docker' starting from version 1.12. Both the 'docker' and 'runc' packages are affected by this issue.

The 'docker-latest' package is deprecated as of Red Hat Enterprise Linux 7.5. Customers using this package should update to the latest 'docker' package shipped in Red Hat Enterprise Linux 7 Extras.

OpenShift Container Platform (OCP) versions 3.9 and later use 'docker' version 1.13 in the default configuration but can be configured to use CRI-O as an alternative, which depends on the 'runc' package. OCP versions 3.9 and later should use the updated 'docker' and 'runc' packages shipped in Red Hat Enterprise Linux 7 Extras.

OCP versions 3.4 through 3.7 use 'docker' version 1.12 from the Red Hat Enterprise Linux 7 Extras channel, which is also affected by this issue.

OpenShift Container Platform 3.9 previously shipped a version 'runc' in it's RPM repository. OCP 3.9 clusters using CRI-O should update 'runc' from the Red Hat Enterprise Linux 7 Extras channel.

Red Hat Enterprise Linux Atomic Host 7 is not affected by this vulnerability as the target runc binaries are stored on a read-only filesystem and cannot be overwritten.

Comment 75 Fedora Update System 2019-02-19 05:53:46 UTC
moby-engine-18.06.0-2.ce.git0ffa825.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 76 Fedora Update System 2019-02-19 14:02:28 UTC
moby-engine-18.06.0-2.ce.git0ffa825.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.