IMPORTANT ANNOUNCEMENT: This website was decommissioned on July 18, 2022

Posted on July 18, 2022

This site is no longer being updated with new postings. Please visit the UBC IT Status Page at https://status.it.ubc.ca for any new status updates and incident notifications. For operational status of our enterprise-level services, users can now subscribe in multiple ways that now includes push notifications:

  • Email
  • SMS
  • Slack integration
  • Twitter
  • Webhooks
  • RSS feed
  • Custom Embed via Status API

You will be redirected shortly to the Status Page or follow the link below to go there now.

Visit the UBC IT Status Page

 

IMPORTANT ANNOUNCEMENT: This website will be decommissioned on July 18, 2022

Posted on June 20, 2022

The UBC IT Bulletins site will no longer be updated on July 18, 2022 and users will need to visit its replacement, the UBC IT Status Page at https://status.it.ubc.ca, where they can view or subscribe to status updates and incident notifications.

UBC IT Bulletins was kept as a legacy site in order to temporarily maintain RSS feeds and intended to provide users time to switch their subscriptions to the Status Page channels.

Before the decommission date of July 18, 2022, we recommend visitors go to https://status.it.ubc.ca to begin subscribing to the new notifications the Status Page has to offer. For our enterprise-level services, users can now subscribe in multiple ways that now include customizable push notifications:

  • SMS messaging
  • Email notifications
  • Webhooks
  • Twitter feed
  • A general RSS feed
  • Custom Slack notifications
  • Custom embed code via an API

Visit the UBC IT Status Page

Run Container “runc” Vulnerability

By Operations Centre on February 12, 2019

A severe vulnerability has been detected in run containers or “runc”.  The vulnerability allows malicious containers to gain root-level code execution on the host. It can run any command (it does not need to be attacker-controlled) as root within a container in either of the following contexts:

 

  • Creating a new container using an attacker-controlled image.
  • Attaching (docker exec) into an existing container which the attacker had previous write access to.

 

This vulnerability is not blocked by the default AppArmor policy, nor by the default SELinux policy on Fedora[++] (because container processes appear to be running as container_runtime_t). However, it is blocked through correct use of user namespaces (where the host root is not mapped into the container’s user namespace).

 

Severity

Critical

 

CVE Number

CVE–2019-5736

 

Impacted Platforms

  • All directly hosted services and SaaS or PaaS solutions engaged with runc.  They will need to be patched.
  • Red Hat, Debian, LXC and Ubuntu
  • Amazon Products
    • Amazon Linux running Docker
    • Some Amazon ECS Optimized AMIs
    • Amazon Elastic Container Service for Kubernetes (Amazon EKS)
    • AWS Fargate
    • AWS IoT Greengrass
    • AWS Batch
    • AWS Elastic Beanstalk
    • AWS Cloud9
    • AWS SageMaker
    • AWS RoboMaker
    • AWS Deep Learning AMI
  • Google Kubernetes Engine (GKE) Ubuntu

 

Recommended actions

  • Please patch as soon as possible when updates and mitigations become available from application vendors
  • If you are consuming any SaaS solutions hosted in Amazon or Google, ask your SaaS provider how they are addressing this vulnerability
  • A backport of patches of older versions of runc that were packaged with Docker can be found in the GitHub repository
  • Contact security@ubc.ca if you have any questions

 

More information

Posted in

Visit the UBC IT Website

Archives

RSS Feeds