{ "threat_severity" : "Important", "public_date" : "2019-02-11T13:22:00Z", "bugzilla" : { "description" : "runc: Execution of malicious containers allows for container escape and access to host filesystem", "id" : "1664908", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1664908" }, "cvss3" : { "cvss3_base_score" : "7.7", "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-672", "details" : [ "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.", "A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system." ], "statement" : "The 'docker' package shipped in Red Hat Enterprise Linux 7 Extras bundles 'runc' since 'docker' starting from version 1.12. Both the 'docker' and 'runc' packages are affected by this issue.\nThe 'docker-latest' package is deprecated as of Red Hat Enterprise Linux 7.5. Customers using this package should update to the latest 'docker' package shipped in Red Hat Enterprise Linux 7 Extras.\nOpenShift Container Platform (OCP) versions 3.9 and later use 'docker' version 1.13 in the default configuration but can be configured to use CRI-O as an alternative, which depends on the 'runc' package. OCP versions 3.9 and later should use the updated 'docker' and 'runc' packages shipped in Red Hat Enterprise Linux 7 Extras.\nOCP versions 3.4 through 3.7 originally used 'docker' version 1.12 from the Red Hat Enterprise Linux 7 Extras channel. An updated version of 'docker' 1.12 has been delivered to the RPM channels for OCP versions 3.4 through 3.7.\nOCP version 3.9 previously shipped a version of 'runc' in it's RPM repository. OCP 3.9 clusters using CRI-O should update 'runc' from the Red Hat Enterprise Linux 7 Extras channel.\nRed Hat Enterprise Linux Atomic Host 7 is not affected by this vulnerability as the target runc binaries are stored on a read-only filesystem and cannot be overwritten.", "acknowledgement" : "Red Hat would like to thank the Open Containers Security Team for reporting this issue. Upstream acknowledges Adam Iwaniuk and Borys Popławski as the original reporters.", "affected_release" : [ { "product_name" : "Other", "release_date" : "2019-02-25T00:00:00Z", "advisory" : "RHSA-2019:0401", "cpe" : "cpe:/a:redhat:container_development_kit:3.7" }, { "product_name" : "Red Hat Enterprise Linux 7 Extras", "release_date" : "2019-02-11T00:00:00Z", "advisory" : "RHSA-2019:0303", "cpe" : "cpe:/a:redhat:rhel_extras_other:7", "package" : "runc-0:1.0.0-59.dev.git2abd837.el7" }, { "product_name" : "Red Hat Enterprise Linux 7 Extras", "release_date" : "2019-02-11T00:00:00Z", "advisory" : "RHSA-2019:0304", "cpe" : "cpe:/a:redhat:rhel_extras_other:7", "package" : "docker-2:1.13.1-91.git07f3374.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-05-07T00:00:00Z", "advisory" : "RHSA-2019:0975", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "container-tools:rhel8-8000020190416221845.2ffa3d27" }, { "product_name" : "Red Hat OpenShift Container Platform 3.4", "release_date" : "2019-02-26T00:00:00Z", "advisory" : "RHSA-2019:0408", "cpe" : "cpe:/a:redhat:openshift:3.4::el7", "package" : "docker-2:1.12.6-79.git5680db5.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.5", "release_date" : "2019-02-26T00:00:00Z", "advisory" : "RHSA-2019:0408", "cpe" : "cpe:/a:redhat:openshift:3.5::el7", "package" : "docker-2:1.12.6-79.git5680db5.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.6", "release_date" : "2019-02-26T00:00:00Z", "advisory" : "RHSA-2019:0408", "cpe" : "cpe:/a:redhat:openshift:3.6::el7", "package" : "docker-2:1.12.6-79.git5680db5.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.7", "release_date" : "2019-02-26T00:00:00Z", "advisory" : "RHSA-2019:0408", "cpe" : "cpe:/a:redhat:openshift:3.7::el7", "package" : "docker-2:1.12.6-79.git5680db5.el7" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "docker-latest", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "container-tools:1.0/runc", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux Atomic Host 7", "fix_state" : "Not affected", "package_name" : "docker", "cpe" : "cpe:/a:redhat:rhel_atomic:7" }, { "product_name" : "Red Hat Enterprise Linux Atomic Host 7", "fix_state" : "Not affected", "package_name" : "runc", "cpe" : "cpe:/a:redhat:rhel_atomic:7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "fix_state" : "Will not fix", "package_name" : "runc", "cpe" : "cpe:/a:redhat:openshift:3.9" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "runc", "cpe" : "cpe:/a:redhat:openshift:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-5736\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-5736\nhttps://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html\nhttps://seclists.org/oss-sec/2019/q1/119" ], "csaw" : true, "name" : "CVE-2019-5736", "mitigation" : { "value" : "This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.", "lang" : "en:us" } }