CVE-2019-5736 (runc vulnerability with docker)


repomanz

Recommended Posts

Thanks @repomanz, I was just coming here to post on this. 

 

More info in case the vendor specific info may be of assistance to anyone...
I know my brain works off of keyword recognition much of the time ;-) :
Amazon/AWS - https://aws.amazon.com/security/security-bulletins/AWS-2019-002/
Kubernetes - https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/

redhat - https://access.redhat.com/security/vulnerabilities/runcescape

Ubuntu - https://www.ubuntuupdates.org/package/core/bionic/universe/updates/runc

Kubernetes - https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/

US_CERT release - https://www.us-cert.gov/ncas/current-activity/2019/02/11/runc-Open-Source-Container-Vulnerability

Link to comment
  • 2 weeks later...
12 minutes ago, Koden said:

Is there any update with the possibility of updating docker? I only run a few, and I'm generally careful about what images I run, but as evidenced by PEAR's issue's last month even a reputable source can have malware slid in:
https://blog.cpanel.com/when-php-went-pear-shaped-the-php-pear-compromise/

That didn't have anything to do with docker though, right?

 

That said, I think we will publish 6.6.7 with an update to docker used in that release.

  • Like 2
Link to comment
19 minutes ago, limetech said:

That didn't have anything to do with docker though, right?

No, not directly; unless unRAID uses the PEAR PHP package and implemented a compromised copy... 
I mentioned that only as an example of how easily compromise *could* happen, even using only reputable sources (which is the #1 response when talking about vm or docker vulnerabilities usually). 

As a more direct example, I run a Plex docker. So if Plex's software has, or developed, a bug that allowed exploitation of the runc vulnerability, I could end up riding the proverbial smelly creek without a poop-stick!
 

19 minutes ago, limetech said:

That said, I think we will publish 6.6.7 with an update to docker used in that release.

Thank you 🙂 I for one will sleep easier with that decision. 
Thank you for the support, and once again I am thankful for the responsiveness of this community!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.