Cloud Foundry Logo
blog single gear
Security Advisory

RunC Exec Vulnerability

Severity

Medium

Vendor

Open Containers Initiative

Description

RunC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

Affected Cloud Foundry Products and Versions

  • Garden-runC versions prior to 1.1.1

The Cloud Foundry team has determined that the project is not exposed to this particular vulnerability and therefore does not require any upgrades. As Cloud Foundry never runs user processes as pid 1 and runs all buildpack containers as unprivileged users in a user namespace, and as Cloud Foundry uses apparmor to prevent ptrace, the specific exploit in the CVE is not possible.

However, the CVE patch from runC also worked around an Ubuntu kernel bug that resulted in file descriptors which were inherited by a new process being available for a very short time when they should have been automatically closed. This could result in a container being able to access files on the host, although not with elevated permissions.

Mitigation

OSS users are encouraged to follow one of the mitigations below:

  • Upgrade garden-runC to version 1.1.1 or later.

Credit

Credit for this discovery goes to Aleksa Sarai from SUSE and Tõnis Tiigi
from Docker.

References

History

2017-01-17: Notice updated to include further vulnerability information.
2017-01-18: Updated Severity to Medium

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES