Severity

High

Vendor

Open Container Initiative

Affected Cloud Foundry Products and Versions

Severity is High unless otherwise noted.

• BPM
  • All prior to v1.0.3
• Cloud Foundry Container Runtime (CFCR)
  • All versions prior to v0.29.0
• Docker BOSH Release
  • All versions prior to v34.0.0
• Garden runC
  • All versions prior to v1.18.2

Description

The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn’t matter if the command is not attacker-controlled) as root within a container in either of these contexts:

• Creating a new container using an attacker-controlled image.

• Attaching (docker exec) into an existing container which the attacker had previous write access to.

This vulnerability is not blocked by the default AppArmor policy, nor by the default SELinux policy on Fedora[++] (because container processes appear to be running as container_runtime_t). However, it is blocked through correct use of user namespaces (where the host root is not mapped into the container’s user namespace).

NOTE: The Garden-runC implementation used in Cloud Foundry is not impacted by this vulnerability because it leverages unprivileged containers and user namespaces. Garden has consumed the upstream fix in version v1.18.2 to ensure all redundant security controls remain functional.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

• Releases that have fixed this issue include:
  • BPM: v1.0.3
  • Cloud Foundry Container Runtime (CFCR): v0.29.0
  • Docker BOSH Release: v34.0.0
  • Garden runC: v1.18.2

References

• * [CVE Announcement](<https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/Tc1ELm-8oDI>)
  

  • CVE-2019-5736

History

2019-02-14: Added fixed version for Cloud Foundry Container Runtime (CFCR)

2019-02-13: Initial vulnerability report published