CVE-2019-5736: runC container breakout
Open Container Initiative
Affected Cloud Foundry Products and Versions
Severity is High unless otherwise noted.
- All prior to v1.0.3
- Cloud Foundry Container Runtime (CFCR)
- All versions prior to v0.29.0
- Docker BOSH Release
- All versions prior to v34.0.0
- Garden runC
- All versions prior to v1.18.2
The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn’t matter if the command is not attacker-controlled) as root within a container in either of these contexts:
* Creating a new container using an attacker-controlled image.
* Attaching (docker exec) into an existing container which the attacker had previous write access to.
This vulnerability is *not* blocked by the default AppArmor policy, nor by the default SELinux policy on Fedora[++] (because container processes appear to be running as container_runtime_t). However, it *is* blocked through correct use of user namespaces (where the host root is not mapped into the container’s user namespace).
NOTE: The Garden-runC implementation used in Cloud Foundry is not impacted by this vulnerability because it leverages unprivileged containers and user namespaces. Garden has consumed the upstream fix in version v1.18.2 to ensure all redundant security controls remain functional.
Users of affected versions should apply the following mitigations or upgrades:
- Releases that have fixed this issue include:
- BPM: v1.0.3
- Cloud Foundry Container Runtime (CFCR): v0.29.0
- Docker BOSH Release: v34.0.0
- Garden runC: v1.18.2
2019-02-14: Added fixed version for Cloud Foundry Container Runtime (CFCR)
2019-02-13: Initial vulnerability report published