A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system.
Find out more about CVE-2019-5736 from the MITRE CVE dictionary dictionary and NIST NVD.
The 'docker' package shipped in Red Hat Enterprise Linux 7 Extras bundled 'runc' since 'docker' version 1.12. If either the 'docker' or 'runc' packages are installed, they will need to be updated with the latest security errata.
The 'docker-latest' package is deprecated as of Red Hat Enterprise Linux 7.5. Customers using this package should update to the latest 'docker' package shipped in Red Hat Enterprise Linux 7 Extras.
OpenShift Container Platform (OCP) 3.x uses 'docker' in the default configuration, while OCP 4 defaults to CRI-O. CRI-O can also be installed as an alternative container engine from OCP version 3.9 and later. The CRI-O package depends on the 'runc' package being installed. While OCP is not directly affected by this vulnerability, it depends on vulnerable components 'docker' or 'runc', which should be updated, especially if SELinux is disabled.
OpenShift Container Platform 3.9 previously shipped a version 'runc' in it's RPM repository. If running an OCP 3.9 cluster, 'runc' should be updated from the Red Hat Enterprise Linux 7 Extras channel.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 7.7 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
Attack Vector | Local |
Attack Complexity | High |
Privileges Required | None |
User Interaction | Required |
Scope | Changed |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Errata | Release Date |
---|---|---|
Red Hat Enterprise Linux 7 Extras (runc) | RHSA-2019:0303 | 2019-02-11 |
Platform | Package | State |
---|---|---|
Red Hat OpenShift Container Platform 3.9 | runc | Will not fix |
Red Hat Enterprise Linux 7 | docker-1.12 | Affected |
Red Hat Enterprise Linux 7 | docker | Affected |
Red Hat Enterprise Linux 7 | docker-latest | Will not fix |
This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode.