Run Container “runc” Vulnerability

A severe vulnerability has been detected in run containers or “runc”.  The vulnerability allows malicious containers to gain root-level code execution on the host. It can run any command (it does not need to be attacker-controlled) as root within a container in either of the following contexts:

 

  • Creating a new container using an attacker-controlled image.
  • Attaching (docker exec) into an existing container which the attacker had previous write access to.

 

This vulnerability is not blocked by the default AppArmor policy, nor by the default SELinux policy on Fedora[++] (because container processes appear to be running as container_runtime_t). However, it is blocked through correct use of user namespaces (where the host root is not mapped into the container’s user namespace).

 

Severity

Critical

 

CVE Number

CVE–2019-5736

 

Impacted Platforms

  • All directly hosted services and SaaS or PaaS solutions engaged with runc.  They will need to be patched.
  • Red Hat, Debian, LXC and Ubuntu
  • Amazon Products
    • Amazon Linux running Docker
    • Some Amazon ECS Optimized AMIs
    • Amazon Elastic Container Service for Kubernetes (Amazon EKS)
    • AWS Fargate
    • AWS IoT Greengrass
    • AWS Batch
    • AWS Elastic Beanstalk
    • AWS Cloud9
    • AWS SageMaker
    • AWS RoboMaker
    • AWS Deep Learning AMI
  • Google Kubernetes Engine (GKE) Ubuntu

 

Recommended actions

  • Please patch as soon as possible when updates and mitigations become available from application vendors
  • If you are consuming any SaaS solutions hosted in Amazon or Google, ask your SaaS provider how they are addressing this vulnerability
  • A backport of patches of older versions of runc that were packaged with Docker can be found in the GitHub repository
  • Contact security@ubc.ca if you have any questions

 

More information