Jump to content
repomanz

CVE-2019-5736 (runc vulnerability with docker)

11 posts in this topic Last Reply

Recommended Posts

Thanks @repomanz, I was just coming here to post on this. 

 

More info in case the vendor specific info may be of assistance to anyone...
I know my brain works off of keyword recognition much of the time ;-) :
Amazon/AWS - https://aws.amazon.com/security/security-bulletins/AWS-2019-002/
Kubernetes - https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/

redhat - https://access.redhat.com/security/vulnerabilities/runcescape

Ubuntu - https://www.ubuntuupdates.org/package/core/bionic/universe/updates/runc

Kubernetes - https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/

US_CERT release - https://www.us-cert.gov/ncas/current-activity/2019/02/11/runc-Open-Source-Container-Vulnerability

Share this post


Link to post

Thanks for the reports.  We did see a new docker release, 18.09.02 that addresses this.  We are trying to determine if it warrants Unraid 6.6.7 patch release.

Share this post


Link to post
37 minutes ago, limetech said:

Thanks for the reports.  We did see a new docker release, 18.09.02 that addresses this.  We are trying to determine if it warrants Unraid 6.6.7 patch release.

 

Security comes first. I'd say it does.

  • Upvote 3

Share this post


Link to post
12 minutes ago, Koden said:

Is there any update with the possibility of updating docker? I only run a few, and I'm generally careful about what images I run, but as evidenced by PEAR's issue's last month even a reputable source can have malware slid in:
https://blog.cpanel.com/when-php-went-pear-shaped-the-php-pear-compromise/

That didn't have anything to do with docker though, right?

 

That said, I think we will publish 6.6.7 with an update to docker used in that release.

  • Like 2

Share this post


Link to post
19 minutes ago, limetech said:

That didn't have anything to do with docker though, right?

No, not directly; unless unRAID uses the PEAR PHP package and implemented a compromised copy... 
I mentioned that only as an example of how easily compromise *could* happen, even using only reputable sources (which is the #1 response when talking about vm or docker vulnerabilities usually). 

As a more direct example, I run a Plex docker. So if Plex's software has, or developed, a bug that allowed exploitation of the runc vulnerability, I could end up riding the proverbial smelly creek without a poop-stick!
 

19 minutes ago, limetech said:

That said, I think we will publish 6.6.7 with an update to docker used in that release.

Thank you 🙂 I for one will sleep easier with that decision. 
Thank you for the support, and once again I am thankful for the responsiveness of this community!

Share this post


Link to post
On 2/20/2019 at 1:29 PM, limetech said:

That didn't have anything to do with docker though, right?

 

That said, I think we will publish 6.6.7 with an update to docker used in that release.

Thank you.

 

6.6.7 has been released. Upgraded with no issues. Much appreciated.

  • Like 1

Share this post


Link to post

I concur - upgrade successful and most appreciated 👍

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now