Open Container Initiative
Severity is High unless otherwise noted.
The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn’t matter if the command is not attacker-controlled) as root within a container in either of these contexts:
Creating a new container using an attacker-controlled image.
Attaching (docker exec) into an existing container which the attacker had previous write access to.
This vulnerability is not blocked by the default AppArmor policy, nor by the default SELinux policy on Fedora[++] (because container processes appear to be running as container_runtime_t). However, it is blocked through correct use of user namespaces (where the host root is not mapped into the container’s user namespace).
NOTE: The Garden-runC implementation used in Cloud Foundry is not impacted by this vulnerability because it leverages unprivileged containers and user namespaces. Garden has consumed the upstream fix in version v1.18.2 to ensure all redundant security controls remain functional.
Users of affected versions should apply the following mitigations or upgrades:
2019-02-14: Added fixed version for Cloud Foundry Container Runtime (CFCR)
2019-02-13: Initial vulnerability report published