A vulnerability discovered in runc allows for a break out from the container to gain root-level access on the host machine.
This vulnerability affects both the docker and runc packages available on Red Hat Enterprise Linux 7, which are delivered through the Extras channel. OpenShift Container Platform (OCP) 3.x depends on these packages from Red Hat Enterprise Linux 7 Extras and is also affected.
This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.
Customers running affected versions of Red Hat products are strongly recommended to apply RPM updates from the RHEL 7 Extras channel as soon as errata becomes available. Customers of OpenShift Online or OpenShift Dedicated have SELinux enabled in enforcing mode in every host across all clusters. It is expected that OSO/OSD is mitigated, with security patches to be deployed during upcoming maintenance windows.
Red Hat thanks the upstream Open Containers Security Team for reporting this issue. Upstream acknowledges Adam Iwaniuk and Borys Popławski as the researchers who discovered this flaw.
Impacted Red Hat Product versions are:
Red Hat Enterprise Linux 7
Red Hat OpenShift Container Platform 3.x*
* OpenShift Container Platform ships with the correct SELinux policies that also make it not vulnerable to this exploit. If needed, administrators can determine if they have changed the SElinux policy or if they are still protected via the downloadable detection script on the "Diagnose" page.
Not Impacted Products
- OpenShift Online and Dedicated are not vulnerable to exploit due to their use of SELinux in enforcing mode.
- Red Hat Enterprise LInux Atomic Host 7 is not affected by this vulnerability because the target runc binaries are stored on a read-only filesystem and cannot be overwritten.
Detecting Exploitation Attempts
Customers using SELinux in enforcing mode can observe exploitation attempts by looking at AVC events in the audit logs. E.g.
$ aureport -a
# date time comm subj syscall class permission obj result event
1. 11/02/19 00:00:00 script system_u:system_r:container_t:s0:c530,c886 2 file write system_u:object_r:container_runtime_exec_t:s0 denied 81359
The above event describes a process with the system_u:system_r:container_t context attempting to write to a file with the system_u:object_r:container_runtime_exec_t context, which is denied by the default policy on Red Hat Enterprise Linux 7.
NB: Though AVC events will still appear in the audit logs when SELinux is in permissive mode, they should not be relied upon as an attacker with root-level access to a machine can modify the logs.
Diagnose your vulnerability
Fixes have been delivered in the Red Hat Enterprise Linux Extras channel. Customers using OpenShift Container Platform versions 3.9 and higher should apply these fixes.
This vulnerability is mitigated by the use of SELinux in targeted enforcing mode, which completely prevents this vulnerability from being exploited. The default for SELinux on Red Hat Enterprise Linux 7 is targeted enforcing mode.
If SELinux has been changed from the default enforcing mode to permissive mode, it can be set back to enforcing mode by following the instructions below:
Users who update to the latest versions do not need to apply further mitigations. However, if the updates cannot be applied, mitigating the issue is recommended.
Mitigations for OpenShift Online and OpenShift Dedicated are already in place. Security patches will be deployed during upcoming maintenance windows.
SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.
Updates for Affected Products
Red Hat Enterprise Linux 7 Extras
Red Hat Enterprise Linux 7 Extras
Red Hat OpenShift Container Platform 3.4
Red Hat OpenShift Container Platform 3.5
Red Hat OpenShift Container Platform 3.6
Red Hat OpenShift Container Platform 3.7
Customers using docker (or docker-latest*) will need to update the docker package, which bundles its own version of runc. Customers using CRI-O, podman, or any other container engine that depends on runc, will need to update the runc package. Updates to both docker and runc are delivered from the Red Hat Enterprise Linux 7 Extras channel.
OpenShift Container Platform (OCP) versions 3.9 and later use docker version 1.13 in the default configuration but can also use CRI-O as an alternative. Customers using OCP 3.9 and later should apply the respective update for docker or runc from the Red Hat Enterprise Linux 7 Extras channel.
OCP versions 3.4 through 3.7 originally used 'docker' version 1.12 from the Red Hat Enterprise Linux 7 Extras channel. An updated version of 'docker' 1.12 has been delivered to the RPM channels for OCP versions 3.4 through 3.7.
**Note: OpenShift Container Platform 3.9 initially shipped its own version of the runc package in the OCP 3.9 repository. The version of runc in Red Hat Enterprise Linux 7 Extras already supersedes the version in OCP 3.9. If running an OCP 3.9 cluster, runc should be updated from the Red Hat Enterprise Linux Extras channel.
An Ansible playbook is available, which updates the packages if the packages are already installed. The script will fail for docker-latest which is no longer supported. To verify the legitimacy of the playbook, you can download the detached GPG signature as well. Current playbook version is 1.1.
The playbook runs against a variable named HOSTS, and can be invoked as follows (assuming 'hostname' is defined in your inventory file):
# ansible-playbook -e HOSTS=hostname cve-2019-5736-update_fixit.yml
This playbook requires root privileges so you will need to use an account with appropriate permissions.