CVE-2019-5736

Impact:
Important
Public Date:
2019-02-11
CWE:
CWE-672
Bugzilla:
1664908: CVE-2019-5736 runc: Execution of malicious containers allows for container escape and access to host filesystem
A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system.

Find out more about CVE-2019-5736 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

The 'docker' package shipped in Red Hat Enterprise Linux 7 Extras bundles 'runc' since 'docker' starting from version 1.12. Both the 'docker' and 'runc' packages are affected by this issue.

The 'docker-latest' package is deprecated as of Red Hat Enterprise Linux 7.5. Customers using this package should update to the latest 'docker' package shipped in Red Hat Enterprise Linux 7 Extras.

OpenShift Container Platform (OCP) versions 3.9 and later use 'docker' version 1.13 in the default configuration but can be configured to use CRI-O as an alternative, which depends on the 'runc' package. OCP versions 3.9 and later should use the updated 'docker' and 'runc' packages shipped in Red Hat Enterprise Linux 7 Extras.

OCP versions 3.4 through 3.7 use 'docker' version 1.12 from the Red Hat Enterprise Linux 7 Extras channel, which is also affected by this issue.

OpenShift Container Platform 3.9 previously shipped a version 'runc' in it's RPM repository. OCP 3.9 clusters using CRI-O should update 'runc' from the Red Hat Enterprise Linux 7 Extras channel.

Red Hat Enterprise Linux Atomic Host 7 is not affected by this vulnerability as the target runc binaries are stored on a read-only filesystem and cannot be overwritten.

CVSS v3 metrics

CVSS3 Base Score 7.7
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector Local
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 Extras (runc) RHSA-2019:0303 2019-02-11
Red Hat Enterprise Linux 7 Extras (docker) RHSA-2019:0304 2019-02-11

Affected Packages State

Platform Package State
Red Hat OpenShift Container Platform 3.9 runc Will not fix
Red Hat OpenShift Container Platform 3.7 docker Affected
Red Hat OpenShift Container Platform 3.6 docker Affected
Red Hat OpenShift Container Platform 3.5 docker Affected
Red Hat OpenShift Container Platform 3.4 docker Affected
Red Hat Enterprise Linux 7 docker-latest Will not fix

Acknowledgements

Red Hat would like to thank the Open Containers Security Team for reporting this issue. Upstream acknowledges Adam Iwaniuk and Borys Popławski as the original reporters.

Mitigation

This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.

External References

Last Modified