Vulnerability Description
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Docker | Docker | < 18.09.2 |
| Linuxfoundation | Runc | <= 0.1.1 |
| Redhat | Container Development Kit | 3.7 |
| Redhat | Openshift | 3.4 |
| Redhat | Enterprise Linux | 8.0 |
| Redhat | Enterprise Linux Server | 7.0 |
| Kubernetes Engine | - | |
| Linuxcontainers | Lxc | < 3.2.0 |
| Hp | Onesphere | - |
| Netapp | Hci Management Node | - |
| Netapp | Solidfire | - |
| Apache | Mesos | >= 1.4.0, < 1.4.3 |
| Opensuse | Backports Sle | 15.0 |
| Opensuse | Leap | 15.0 |
| D2Iq | Kubernetes Engine | < 2.2.0-1.13.3 |
| D2Iq | Dc\/Os | < 1.10.10 |
| Fedoraproject | Fedora | 29 |
| Canonical | Ubuntu Linux | 16.04 |
| Microfocus | Service Management Automation | 2018.02 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.htmlMailing ListThird Party Advisory
- http://packetstormsecurity.com/files/163339/Docker-Container-Escape.htmlExploitThird Party AdvisoryVDB Entry
- http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Third Party AdvisoryVDB Entry
- http://www.openwall.com/lists/oss-security/2019/03/23/1Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2019/06/28/2Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2019/07/06/3Mailing ListThird Party Advisory
FAQ
What is CVE-2019-5736?
CVE-2019-5736 is a vulnerability with a CVSS score of 8.6 (HIGH). runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to ex...
How severe is CVE-2019-5736?
CVE-2019-5736 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-5736?
Check the references section above for vendor advisories and patch information. Affected products include: Docker Docker, Linuxfoundation Runc, Redhat Container Development Kit, Redhat Openshift, Redhat Enterprise Linux.