Docker Vulnerability issue - CVE-2019-5736

[liqlin2015]

Description

Docker Vulnerability - docker runc - CVE-2019-5736

Received communication about a security exploit that will affect all container environments that depend on runc. The exploit allows the attacker to overwrite the runc binary itself which can then be used to have root local access to the system running containers. A crafted binary could then do any action on the system with full root permission.

The CVE was meant to be embargoed but is now public: CVE-2019-5736

The patch in runc was already merged:
opencontainers/runc@0a8e411

CVE report link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736

Describe the results you received:

Container Vulnerability issue.

Describe the results you expected:

No container Vulnerability issue.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

18.03.1-ce

But I think all version of docker might be affected.

Output of docker info:

(paste your output here)

Additional environment details (AWS, VirtualBox, physical, etc.):

[liqlin2015]

cc @thaJeztah

[liqlin2015]

I see there is fix in containerd containerd/containerd#2997.

but how docker deliver the fix?

[zq-david-wang]

I think Moby project is only dockerd part of the whole docker ecosystem.
According to the release notes, it seems that the fix is already in 18.09.2
https://github.com/docker/docker-ce/releases/tag/v18.09.2

(Glad to come upon this issue, and thanks for the information, need to figure out how to make a smooth upgrade now.....)

[thaJeztah]

Docker released updates yesterday that contain a patched version of runc; those releases were developed under embargo, so applied a hot-patch to the versions of runc used in those releases. Upcoming patch-releases will re-align with the upstream runc versions.

The moby repository has not yet been updated, but will be updated soon, to align with containerd

Patched Docker versions are;

Docker Engine Community ("CE")

• Docker CE 18.09.2
  (For Docker 18.09 and up, containerd and RunC are in a separate package; the fixed RunC version is in the containerd.io package, version 1.2.2-3, and the Docker 18.09.2 package enforces containerd >= 1.2.2-3)
• Docker CE 18.06.2-ce

Docker Engine Enterprise ("EE"):

• Docker EE 17.06.2-ee-19
• Docker EE 18.03.1-ee-6
• Docker EE 18.09.2 (For Docker 18.09 and up, containerd and RunC are in a separate package; the fixed RunC version is in the containerd.io package, version 1.2.2-3, and the Docker 18.09.2 package enforces containerd >= 1.2.2-3)

Docker Desktop (Docker for Mac / Docker for Windows)

Docker Desktop is not vulnerable, due to it (among other measures), using a read-only filesystem. The Docker Engine will be updated in an upcoming patch release.

[thaJeztah]

Note that Docker 18.03 CE has reached EOL, so won't be patched, so I highly recommend to update to a currently maintained version (or to Docker EE, which has a longer support cycle)

[cpuguy83]

Let's please get runc updated in this repo.
PR's welcome.

It's in hack/Dockerfile/install/runc.installer
Just update the sha to the latest commit.

[thaJeztah]

Yes, was discussing with the containerd maintainers yesterday is 1.2.4 would be tagged, but we can update runc before that.

[thaJeztah]

Let me open a PR

[thaJeztah]

PR; #38716

[mkumatag]

Note that Docker 18.03 CE has reached EOL, so won't be patched, so I highly recommend to update to a currently maintained version (or to Docker EE, which has a longer support cycle)

@thaJeztah do you mind updating sha atleast for 18.03 so that if someone wants to build packages themselves.

[thaJeztah]

No, the release is EOL, so the release-branch won't be updated, but you can either update the SHA to current runc master, or apply the hot fix (similar to docker/docker-ce@9b00e48)