Open Containers Initiative
RunC allowed additional container processes via
runc exec to be ptraced by the
pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
Affected Cloud Foundry Products and Versions
- Garden-runC versions prior to 1.1.1
The Cloud Foundry team has determined that the project is not exposed to this particular vulnerability and therefore does not require any upgrades. As Cloud Foundry never runs user processes as pid 1 and runs all buildpack containers as unprivileged users in a user namespace, and as Cloud Foundry uses apparmor to prevent ptrace, the specific exploit in the CVE is not possible.
However, the CVE patch from
runC also worked around an Ubuntu kernel bug that resulted in file descriptors which were inherited by a new process being available for a very short time when they should have been automatically closed. This could result in a container being able to access files on the host, although not with elevated permissions.
OSS users are encouraged to follow one of the mitigations below:
- Upgrade garden-runC to version 1.1.1 or later.
Credit for this discovery goes to Aleksa Sarai from SUSE and Tõnis Tiigi
- Original CVE from Docker: http://seclists.org/oss-sec/2017/q1/54
- Ubuntu tracking for kernel bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1654602
2017-01-17: Notice updated to include further vulnerability information.
2017-01-18: Updated Severity to Medium