Table of Contents
The 'docker' package shipped in Red Hat Enterprise Linux 7 Extras bundles 'runc' since 'docker' starting from version 1.12. Both the 'docker' and 'runc' packages are affected by this issue.
The 'docker-latest' package is deprecated as of Red Hat Enterprise Linux 7.5. Customers using this package should update to the latest 'docker' package shipped in Red Hat Enterprise Linux 7 Extras.
OpenShift Container Platform (OCP) versions 3.9 and later use 'docker' version 1.13 in the default configuration but can be configured to use CRI-O as an alternative, which depends on the 'runc' package. OCP versions 3.9 and later should use the updated 'docker' and 'runc' packages shipped in Red Hat Enterprise Linux 7 Extras.
OCP versions 3.4 through 3.7 use 'docker' version 1.12 from the Red Hat Enterprise Linux 7 Extras channel, which is also affected by this issue.
OpenShift Container Platform 3.9 previously shipped a version 'runc' in it's RPM repository. OCP 3.9 clusters using CRI-O should update 'runc' from the Red Hat Enterprise Linux 7 Extras channel.
Red Hat Enterprise Linux Atomic Host 7 is not affected by this vulnerability as the target runc binaries are stored on a read-only filesystem and cannot be overwritten.
CVSS v3 metrics
|CVSS3 Base Score||7.7|
|CVSS3 Base Metrics||CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H|
Red Hat Security Errata
|Red Hat Enterprise Linux 7 Extras (runc)||RHSA-2019:0303||2019-02-11|
|Red Hat Enterprise Linux 7 Extras (docker)||RHSA-2019:0304||2019-02-11|
Affected Packages State
|Red Hat OpenShift Container Platform 3.9||runc||Will not fix|
|Red Hat OpenShift Container Platform 3.7||docker||Affected|
|Red Hat OpenShift Container Platform 3.6||docker||Affected|
|Red Hat OpenShift Container Platform 3.5||docker||Affected|
|Red Hat OpenShift Container Platform 3.4||docker||Affected|
|Red Hat Enterprise Linux 7||docker-latest||Will not fix|
AcknowledgementsRed Hat would like to thank the Open Containers Security Team for reporting this issue. Upstream acknowledges Adam Iwaniuk and Borys Popławski as the original reporters.
This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.