Difference between revisions of "SVG:Advisory-SVG-CVE-2019-5736"
Jump to navigation
Jump to search
(fix some more text concerning lxc) |
|||
Line 3: | Line 3: | ||
<pre> | <pre> | ||
Title: EGI SVG 'ADVISORY' [TLP:WHITE] 'CRITICAL' risk runc malicious container escape | Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] 'CRITICAL' risk runc malicious container escape affecting | ||
Docker, Kubernetes, lxc [EGI-SVG-CVE-2019-5736] | |||
Date: 2019-02-13 | Date: 2019-02-13 | ||
Updated: | Updated: 2019-03-01 | ||
Affected software and risk | Affected software and risk | ||
========================== | ========================== | ||
CRITICAL risk vulnerability concerning runc used in | CRITICAL risk vulnerability concerning runc used in Docker, Kubernetes, lxc | ||
Package : runC/docker | Package : runC/docker | ||
Line 18: | Line 18: | ||
A flaw was found in the way runc handled system file descriptors when running containers. | A flaw was found in the way runc handled system file descriptors when running containers. | ||
A malicious container could use this flaw to overwrite contents of the runc binary and | A malicious container could use this flaw to overwrite contents of the runc binary and consequently | ||
run arbitrary commands on the container host system. [R 1] [R 2]. This affects Docker, Kubernetes, | |||
This affects | and lxc. Not all sites will be vulnerable, see mitigation below. | ||
Not all sites will be vulnerable, see mitigation below. | |||
Actions required/recommended | Actions required/recommended | ||
============================ | ============================ | ||
Sites running docker should update urgently, or ensure their site is mitigated as below. | Sites running docker should update urgently, or ensure their site is mitigated as below, if they have not done so already. | ||
Note that the EGI CSIRT team will not be monitoring this CVE. | |||
Component installation information | Component installation information | ||
================================== | ================================== | ||
Sites installing docker directly from github may install the updated version [R 4] | Sites installing docker directly from github may install the updated version [R 3] | ||
**UPDATE 2019-02-26** | |||
RedHat has produced advisories and updates for most supported platforms [R 4], although for a few | |||
platforms they won't fix. | |||
The Scientific Linux extras repository has updated docker and runc packages, see your local mirror. | |||
Any site using Debian should site [R 5] | |||
The CentOS extras repository has updated docker and runc packages, see your local mirror. | |||
Mitigation | Mitigation | ||
========== | ========== | ||
From the Red Hat advisory: This vulnerability is mitigated by the use of SELinux in | From the Red Hat advisory: This vulnerability is mitigated by the use of SELinux in targeted enforcing mode, | ||
targeted enforcing mode, which completely prevents this vulnerability from being exploited. | which completely prevents this vulnerability from being exploited. The default for SELinux on | ||
The default for SELinux on Red Hat Enterprise Linux 7 is targeted enforcing mode. | Red Hat Enterprise Linux 7 is targeted enforcing mode. | ||
More information | More information | ||
================ | ================ | ||
This advisory will be updated and a date will be set by which time all running resources | This advisory will be updated and a date will be set by which time all running resources MUST be either patched or have mitigation in place or software removed. | ||
MUST be either patched or have mitigation in place or software removed. | |||
Note that a proof of concept exploit has been released publicly [R | Note that a proof of concept exploit has been released publicly [R 6] | ||
Use in Docker and Kubernetes [R | Use in Docker and Kubernetes [R 7] | ||
TLP and URL | TLP and URL | ||
Line 85: | Line 83: | ||
report-vulnerability at egi.eu | report-vulnerability at egi.eu | ||
the EGI Software Vulnerability Group will take a look according to the procedure defined in [R | the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 8] | ||
Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. | Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. | ||
Line 93: | Line 91: | ||
========== | ========== | ||
[R 1] https:// | [R 1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5736 | ||
[R 2] | [R 2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736 | ||
[R 3] | [R 3] https://github.com/docker/docker-ce/releases/tag/v18.09.2 | ||
[R 4] https:// | [R 4] https://access.redhat.com/security/cve/cve-2019-5736 | ||
[R 5] https:// | [R 5] https://security-tracker.debian.org/tracker/CVE-2019-5736 | ||
[R 6] https:// | [R 6] https://seclists.org/oss-sec/2019/q1/129 | ||
[R 7] https:// | [R 7] https://www.openwall.com/lists/oss-security/2019/02/11/2 | ||
[R 8 | [R 8] https://documents.egi.eu/public/ShowDocument?docid=3145 | ||
Line 122: | Line 112: | ||
SVG was alerted to this vulnerability by David Crooks | SVG was alerted to this vulnerability by David Crooks | ||
Timeline | Timeline | ||
Line 134: | Line 123: | ||
2019-02-12 Advisory drafted | 2019-02-12 Advisory drafted | ||
2019-02-13 Advisory sent to sites | 2019-02-13 Advisory sent to sites | ||
2019-03-01 Minor updates to advisory, concerning availability/installation. | |||
Context | Context | ||
Line 142: | Line 131: | ||
"To minimize the risk to the EGI infrastructure arising from software vulnerabilities" | "To minimize the risk to the EGI infrastructure arising from software vulnerabilities" | ||
The risk is that assessed by the group, according to the EGI SVG issue handling procedure | The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 8] | ||
[R | in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, | ||
It is the opinion of the group, we do not guarantee it to be correct. | we do not guarantee it to be correct. The risk may also be higher or lower in other deployments | ||
The risk may also be higher or lower in other deployments depending on how the software is used. | depending on how the software is used. | ||
Others may re-use this information provided they:- | Others may re-use this information provided they:- | ||
Line 156: | Line 145: | ||
On behalf of the EGI SVG, | On behalf of the EGI SVG, | ||
</pre> | </pre> |
Latest revision as of 15:05, 1 March 2019
Main page | Software Security Checklist | Issue Handling | Advisories | Notes On Risk | Advisory Template | More |
Advisory-SVG-CVE-2019-5736
Title: EGI SVG 'ADVISORY' **UPDATE** [TLP:WHITE] 'CRITICAL' risk runc malicious container escape affecting Docker, Kubernetes, lxc [EGI-SVG-CVE-2019-5736] Date: 2019-02-13 Updated: 2019-03-01 Affected software and risk ========================== CRITICAL risk vulnerability concerning runc used in Docker, Kubernetes, lxc Package : runC/docker CVE ID : CVE-2019-5736 A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. [R 1] [R 2]. This affects Docker, Kubernetes, and lxc. Not all sites will be vulnerable, see mitigation below. Actions required/recommended ============================ Sites running docker should update urgently, or ensure their site is mitigated as below, if they have not done so already. Note that the EGI CSIRT team will not be monitoring this CVE. Component installation information ================================== Sites installing docker directly from github may install the updated version [R 3] **UPDATE 2019-02-26** RedHat has produced advisories and updates for most supported platforms [R 4], although for a few platforms they won't fix. The Scientific Linux extras repository has updated docker and runc packages, see your local mirror. Any site using Debian should site [R 5] The CentOS extras repository has updated docker and runc packages, see your local mirror. Mitigation ========== From the Red Hat advisory: This vulnerability is mitigated by the use of SELinux in targeted enforcing mode, which completely prevents this vulnerability from being exploited. The default for SELinux on Red Hat Enterprise Linux 7 is targeted enforcing mode. More information ================ This advisory will be updated and a date will be set by which time all running resources MUST be either patched or have mitigation in place or software removed. Note that a proof of concept exploit has been released publicly [R 6] Use in Docker and Kubernetes [R 7] TLP and URL =========== ** WHITE information - Unlimited distribution - see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions*** URL: https://wiki.egi.eu/wiki/SVG:Advisory-SVG-CVE-2019-5736 Minor updates may be made without re-distribution to the sites Comments ======== Comments or questions should be sent to svg-rat at mailman.egi.eu If you find or become aware of another vulnerability which is relevant to EGI you may report it by e-mail to report-vulnerability at egi.eu the EGI Software Vulnerability Group will take a look according to the procedure defined in [R 8] Note that this is undergoing revision to fully handle vulnerabilities in the EOSC-hub era. References ========== [R 1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5736 [R 2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736 [R 3] https://github.com/docker/docker-ce/releases/tag/v18.09.2 [R 4] https://access.redhat.com/security/cve/cve-2019-5736 [R 5] https://security-tracker.debian.org/tracker/CVE-2019-5736 [R 6] https://seclists.org/oss-sec/2019/q1/129 [R 7] https://www.openwall.com/lists/oss-security/2019/02/11/2 [R 8] https://documents.egi.eu/public/ShowDocument?docid=3145 Credit ====== SVG was alerted to this vulnerability by David Crooks Timeline ======== Yyyy-mm-dd [EGI-SVG-CVE-2019-5736 ] 2019-02-11 SVG alerted to this issue by David Crooks 2019-02-11 Acknowledgement from the EGI SVG to the reporter 2019-02-11 Investigation of vulnerability and relevance to EGI carried out by SVG 2019-02-12 EGI SVG Risk Assessment completed 2019-02-12 Advisory drafted 2019-02-13 Advisory sent to sites 2019-03-01 Minor updates to advisory, concerning availability/installation. Context ======= This advisory has been prepared as part of the effort to fulfil EGI SVG's purpose "To minimize the risk to the EGI infrastructure arising from software vulnerabilities" The risk is that assessed by the group, according to the EGI SVG issue handling procedure [R 8] in the context of how the software is used in the EGI infrastructure. It is the opinion of the group, we do not guarantee it to be correct. The risk may also be higher or lower in other deployments depending on how the software is used. Others may re-use this information provided they:- 1) Respect the provided TLP classification 2) Credit the EGI https://www.egi.eu/ Software Vulnerability Group On behalf of the EGI SVG,