Docs
uk8s
Vulnerability Tracking
CVE-2019-5736

CVE-2019-5736

UK8S has resolved the runc container escape vulnerability as of 15:00 on February 14, 2019, and has successfully passed attack and defense tests. This document outlines the methods for remediating clusters created before February 14, 2019.

Vulnerability Details

Runc has a container escape vulnerability that allows malicious containers (requiring minimal user interaction) to overwrite runc files on the host, enabling code execution with root permissions. Arbitrary code can be executed in the container with root permissions under the following conditions:

  1. Creating a new container using an attacker-controlled image.
  2. Accessing an existing container where the attacker previously had write permissions (using docker exec).

Scope of impact

Clusters created before 15:00 on February 14, 2019

The Docker version for these clusters is 1.13.1, and the runc version is <1.0-rc6. This presents a security risk that requires remediation.

Clusters created after 15:00 on February 14, 2019, have addressed this vulnerability and passed attack and defense tests, so no further action is needed.

Since UK8S operates in single-tenant mode, if unauthorized third-party images have not been deployed within the UK8S cluster, the vulnerability cannot be exploited by hackers. However, for business security, it is recommended to remediate as soon as possible.

Repair method

Solution one

For test clusters, it is recommended to delete and recreate. The new version of the UK8S cluster has fixed this vulnerability (CVE-2019-5736).

Solution two

Upgrade the runc version. This is a hot upgrade solution that theoretically will not cause business interruptions. The specific steps are as follows:

  1. Backup the original runc. UK8S’s runc is located under the /usr/libexec/docker path.
mv /usr/libexec/docker/docker-runc-current /usr/libexec/docker/docker-runc-current.$(date -Iseconds)
  1. Download the patched runc version (corresponding to container version 1.13.1 and kernel version 4.x) and replace the original runc.
wget https://github.com/rancher/runc-cve/releases/download/CVE-2019-5736-build3/runc-v1.13.1-amd64
mv runc-v1.13.1-amd64  /usr/libexec/docker/docker-runc-current

##Kernel version is 3.x
wget https://github.com/rancher/runc-cve/releases/download/CVE-2019-5736-build3/runc-v1.13.1-amd64-no-memfd_create
  1. Set executable permissions
chmod +x /usr/libexec/docker/docker-runc-current
  1. Test whether the new version of runc is working properly
/usr/libexec/docker/docker-runc-current -v
docker run -it --rm ubuntu echo OK

Solution three

Upgrade Docker version. Upgrade the Docker version of the existing cluster to 18.09.2 or above. This solution may cause container and business interruptions, so proceed with caution.

If assistance is needed during this vulnerability, please contact the UK8S team for assistance.

Reference link

https://www.openwall.com/lists/oss-security/2019/02/11/2

https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/

Affinity PracticesCVE-2019-9512-9514