A serious vulnerability in runc open-source container management has been discovered and patched. runc is used by most of the underlying container engines and runtime, such as Docker, cri-o, containerd, and Kubernetes.
A malicious container could leverage this bug to overwrite the host runc binary and run root-level arbitrary commands from the impacted host.
Aleksa Sarai of OpenWall published information on the issue, to include details on the runc vulnerability, patch, exploit code and impact on other products.
Red Hat also issued a security update on the runc vulnerability CVE-2019-5736 and potential impact:
“Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.”
Amazon Web Services (AWS) also released security updates for several products impacted by the runc flaw, to include Amazon Linux, Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Container Service for Kubernetes (Amazon EKS) and other AWS products.