Jump to content
repomanz

CVE-2019-5736 (runc vulnerability with docker)

11 posts in this topic Last Reply

Recommended Posts

Thanks @repomanz, I was just coming here to post on this. 

 

More info in case the vendor specific info may be of assistance to anyone...
I know my brain works off of keyword recognition much of the time ;-) :
Amazon/AWS - https://aws.amazon.com/security/security-bulletins/AWS-2019-002/
Kubernetes - https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/

redhat - https://access.redhat.com/security/vulnerabilities/runcescape

Ubuntu - https://www.ubuntuupdates.org/package/core/bionic/universe/updates/runc

Kubernetes - https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/

US_CERT release - https://www.us-cert.gov/ncas/current-activity/2019/02/11/runc-Open-Source-Container-Vulnerability

Share this post


Link to post

Thanks for the reports.  We did see a new docker release, 18.09.02 that addresses this.  We are trying to determine if it warrants Unraid 6.6.7 patch release.

Share this post


Link to post
37 minutes ago, limetech said:

Thanks for the reports.  We did see a new docker release, 18.09.02 that addresses this.  We are trying to determine if it warrants Unraid 6.6.7 patch release.

 

Security comes first. I'd say it does.

Share this post


Link to post
12 minutes ago, Koden said:

Is there any update with the possibility of updating docker? I only run a few, and I'm generally careful about what images I run, but as evidenced by PEAR's issue's last month even a reputable source can have malware slid in:
https://blog.cpanel.com/when-php-went-pear-shaped-the-php-pear-compromise/

That didn't have anything to do with docker though, right?

 

That said, I think we will publish 6.6.7 with an update to docker used in that release.

Share this post


Link to post
19 minutes ago, limetech said:

That didn't have anything to do with docker though, right?

No, not directly; unless unRAID uses the PEAR PHP package and implemented a compromised copy... 
I mentioned that only as an example of how easily compromise *could* happen, even using only reputable sources (which is the #1 response when talking about vm or docker vulnerabilities usually). 

As a more direct example, I run a Plex docker. So if Plex's software has, or developed, a bug that allowed exploitation of the runc vulnerability, I could end up riding the proverbial smelly creek without a poop-stick!
 

19 minutes ago, limetech said:

That said, I think we will publish 6.6.7 with an update to docker used in that release.

Thank you 🙂 I for one will sleep easier with that decision. 
Thank you for the support, and once again I am thankful for the responsiveness of this community!

Share this post


Link to post
On 2/20/2019 at 1:29 PM, limetech said:

That didn't have anything to do with docker though, right?

 

That said, I think we will publish 6.6.7 with an update to docker used in that release.

Thank you.

 

6.6.7 has been released. Upgraded with no issues. Much appreciated.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.