RunC & Docker Container Break Out Vulnerability

Tuesday, Feb 12, 2019

Runc is a fundamental component in many Linux based container engines

A flaw has been detected in runc which allows a malicious container to gain root-level access on the host machine. This issue has been assigned CVE-2019-5736 and has a security impact of Important.

Background Information

A vulnerability discovered in runc allows for a break out from the container to gain root-level access on the host machine.

This vulnerability affects both the docker and runc packages available on Red Hat Enterprise Linux 7, which are delivered through the Extras channel. OpenShift Container Platform (OCP) 3.x depends on these packages from Red Hat Enterprise Linux 7 Extras and is also affected.

Take Action

RedHat recommends that Customers running affected versions of Red Hat products are strongly recommended to apply RPM updates from the RHEL 7 Extras channel as soon as errata becomes available. Customers of OpenShift Online or OpenShift Dedicated have SELinux enabled in enforcing mode in every host across all clusters. It is expected that OSO/OSD is mitigated, with security patches to be deployed during upcoming maintenance windows. Acknowledgements

Red Hat thanks the upstream Open Containers Security Team for reporting this issue. Upstream acknowledges Adam Iwaniuk and Borys Popławski as the researchers who discovered this flaw.

Source List:
https://access.redhat.com/security/cve/cve-2019-5736
https://www.redhat.com/en/contact/it-starts-linux-how-red-hat-helping-counter-linux-container-security-flaws
https://access.redhat.com/security/vulnerabilities/runcescape

Contact

SNOKE CONNECT S.L.

 Camino del Morro, 17
 35640, La Oliva, Spain
moc.tcennoc-ekons@tcatnoc