ContextQMD
Back to Kops

CVE-2019-5736 - runc container breakout

docs/advisories/cve_2019_5736.md

1.35.02.8 KB
Original Source

CVE-2019-5736 - runc container breakout

runc through 1.0-rc6, as used in Docker before 18.09.2, allows attackers to overwrite the host runc binary and consequently obtain host root access. For more information, please see the NIST advisory or the kubernetes advisory.

For kOps, kOps releases 1.11.1 or later include workarounds, but note that the fixes depend on the version of kubernetes you are running. Because kubernetes 1.10 and 1.11 were only validated with Docker version 17.03.x (and earlier), and because Docker has chosen not to offer fixes for 17.03 in OSS, there is no patched version.

You must update to kOps 1.11.1 (or later) if you are running kubernetes <= 1.11.x to get this fix

However, there is an alternative to the patch which is less impactful and requires no source code changes: it is possible to mark runc as immutable using chattr. Doing so protects against the known exploits. The exception is privileged pods (that are effectively root anyway) and pods that have explicitly been granted CAP_LINUX_IMMUTABLE in the securityContext.capabilities.

If you are running pods that are not privileged but you grant CAP_LINUX_IMMUTABLE in the securityContext.capabilities, and are running kubernetes 1.11 (or earlier), you should consider one of the alternative fixes listed below

Summary of fixes that ship with kOps >= 1.11.1

  • Kubernetes 1.11 (and earlier): we mark runc with the immutable attribute.
  • Kubernetes 1.12 (and later): we install a version of docker that includes a fixed runc

Alternative fixes for users of kubernetes 1.11 (or earlier)

  • Anticipate upgrading to kubernetes 1.12 earlier than previously planned. We are accelerating the kOps 1.12 release to facilitate this.
  • Consider replacing the docker version with 18.06.3 or later. Note that this will "pin" your docker version and in future you will want to remove this to get future docker upgrades. (Do not select docker 18.06.2 on Redhat/Centos, that version was mistakenly packaged by Docker without including the fix)
  • Consider replacing just runc - some third parties have backported the fix to runc 17.03, and our wonderful community of kOps users has shared their approaches to patching runc, see here and here.