cv-announce-l@list.iu.edu
Subject: cv alerts list
List archive
- From: Andrew K Adams <akadams@psc.edu>
- To: cv-announce@trustedci.org
- Cc: "Andrew K. Adams" <akadams@psc.edu>
- Subject: [cv-announce-l] Docker / runc Privilege Escalation (CVE-2019-5736)
- Date: Tue, 12 Feb 2019 14:45:28 -0500
CI Operators:
A file-descriptor mishandling issue was found with ‘runc’ which can allow a user to overwrite the host runc binary[1][2][3]. ‘runc’ is used by Docker (before v18.09.2) and other container runtimes.
Impact:
On systems that do *not* have SELinux enabled in ‘enforcing’ mode, a malicious actor could escalate their privilege on the host system.
Affected Software:
* runc through 1.0-rc6
* docker-1.12 from RHEL7
Recommendation:
Apply the latest patch to Docker, or runc (if using a different runtime container).
References:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
[2] https://access.redhat.com/security/cve/cve-2019-5736
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.
- [cv-announce-l] Docker / runc Privilege Escalation (CVE-2019-5736), Andrew K Adams, 02/12/2019
Archive powered by MHonArc 2.6.24.