Severity
Medium
Vendor
Open Containers Initiative
Description
RunC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
Affected Cloud Foundry Products and Versions
- Garden-runC versions prior to 1.1.1
The Cloud Foundry team has determined that the project is not exposed to this particular vulnerability and therefore does not require any upgrades. As Cloud Foundry never runs user processes as pid 1 and runs all buildpack containers as unprivileged users in a user namespace, and as Cloud Foundry uses apparmor to prevent ptrace, the specific exploit in the CVE is not possible.
However, the CVE patch from runC also worked around an Ubuntu kernel bug that resulted in file descriptors which were inherited by a new process being available for a very short time when they should have been automatically closed. This could result in a container being able to access files on the host, although not with elevated permissions.
Mitigation
OSS users are encouraged to follow one of the mitigations below:
- Upgrade garden-runC to version 1.1.1 or later.
Credit
Credit for this discovery goes to Aleksa Sarai from SUSE and Tõnis Tiigi
from Docker.
References
- Original CVE from Docker: http://seclists.org/oss-sec/2017/q1/54
- Ubuntu tracking for kernel bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1654602
History
2017-01-17: Notice updated to include further vulnerability information.
2017-01-18: Updated Severity to Medium
