New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker Vulnerability issue - CVE-2019-5736 #38713
Comments
cc @thaJeztah |
I see there is fix in containerd containerd/containerd#2997. but how docker deliver the fix? |
I think Moby project is only dockerd part of the whole docker ecosystem. (Glad to come upon this issue, and thanks for the information, need to figure out how to make a smooth upgrade now.....) |
Docker released updates yesterday that contain a patched version of runc; those releases were developed under embargo, so applied a hot-patch to the versions of runc used in those releases. Upcoming patch-releases will re-align with the upstream runc versions. The moby repository has not yet been updated, but will be updated soon, to align with containerd Patched Docker versions are; Docker Engine Community ("CE")
Docker Engine Enterprise ("EE"):
Docker Desktop (Docker for Mac / Docker for Windows)Docker Desktop is not vulnerable, due to it (among other measures), using a read-only filesystem. The Docker Engine will be updated in an upcoming patch release. |
Note that Docker 18.03 CE has reached EOL, so won't be patched, so I highly recommend to update to a currently maintained version (or to Docker EE, which has a longer support cycle) |
Let's please get runc updated in this repo. It's in hack/Dockerfile/install/runc.installer |
Yes, was discussing with the containerd maintainers yesterday is 1.2.4 would be tagged, but we can update runc before that. |
Let me open a PR |
PR; #38716 |
@thaJeztah do you mind updating sha atleast for 18.03 so that if someone wants to build packages themselves. |
No, the release is EOL, so the release-branch won't be updated, but you can either update the SHA to current runc master, or apply the hot fix (similar to docker/docker-ce@9b00e48) |
Description
Docker Vulnerability - docker runc - CVE-2019-5736
Received communication about a security exploit that will affect all container environments that depend on runc. The exploit allows the attacker to overwrite the runc binary itself which can then be used to have root local access to the system running containers. A crafted binary could then do any action on the system with full root permission.
The CVE was meant to be embargoed but is now public: CVE-2019-5736
The patch in runc was already merged:
opencontainers/runc@0a8e411
CVE report link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
Describe the results you received:
Container Vulnerability issue.
Describe the results you expected:
No container Vulnerability issue.
Additional information you deem important (e.g. issue happens only occasionally):
Output of
docker version
:But I think all version of docker might be affected.
Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
The text was updated successfully, but these errors were encountered: