A severe vulnerability has been detected in run containers or “runc”. The vulnerability allows malicious containers to gain root-level code execution on the host. It can run any command (it does not need to be attacker-controlled) as root within a container in either of the following contexts:
- Creating a new container using an attacker-controlled image.
- Attaching (docker exec) into an existing container which the attacker had previous write access to.
This vulnerability is not blocked by the default AppArmor policy, nor by the default SELinux policy on Fedora[++] (because container processes appear to be running as container_runtime_t). However, it is blocked through correct use of user namespaces (where the host root is not mapped into the container’s user namespace).
- All directly hosted services and SaaS or PaaS solutions engaged with runc. They will need to be patched.
- Red Hat, Debian, LXC and Ubuntu
- Amazon Products
- Amazon Linux running Docker
- Some Amazon ECS Optimized AMIs
- Amazon Elastic Container Service for Kubernetes (Amazon EKS)
- AWS Fargate
- AWS IoT Greengrass
- AWS Batch
- AWS Elastic Beanstalk
- AWS Cloud9
- AWS SageMaker
- AWS RoboMaker
- AWS Deep Learning AMI
- Google Kubernetes Engine (GKE) Ubuntu
- Please patch as soon as possible when updates and mitigations become available from application vendors
- If you are consuming any SaaS solutions hosted in Amazon or Google, ask your SaaS provider how they are addressing this vulnerability
- A backport of patches of older versions of runc that were packaged with Docker can be found in the GitHub repository
- Contact email@example.com if you have any questions
- News article: https://www.securityweek.com/container-escape-flaw-hits-aws-google-cloud-linux-distros
- runc: https://github.com/opencontainers/runc
- US-CERT Advisory: https://www.us-cert.gov/ncas/current-activity/2019/02/11/runc-Open-Source-Container-Vulnerability
- runc Security Advisory: https://www.openwall.com/lists/oss-security/2019/02/11/2
- RedHat Blog Post: https://www.redhat.com/en/blog/it-starts-linux-how-red-hat-helping-counter-linux-container-security-flaws
- Google Kubernetes Engine Security Bulletins: https://cloud.google.com/kubernetes-engine/docs/security-bulletins
- Amazon Web Services Blog Post: https://aws.amazon.com/security/security-bulletins/AWS-2019-002/