mirror of https://github.com/kubernetes/kops.git
55 lines
2.8 KiB
Markdown
55 lines
2.8 KiB
Markdown
# CVE-2019-5736 - runc container breakout
|
|
|
|
runc through 1.0-rc6, as used in Docker before 18.09.2, allows attackers to
|
|
overwrite the host runc binary and consequently obtain host root access. For
|
|
more information, please see the [NIST advisory][NIST advisory]
|
|
or the [kubernetes advisory][kubernetes advisory].
|
|
|
|
For kOps, kOps releases 1.11.1 or later include workarounds, but note that the
|
|
fixes depend on the version of kubernetes you are running. Because kubernetes
|
|
1.10 and 1.11 were only validated with Docker version 17.03.x (and earlier), and
|
|
because Docker has chosen not to offer fixes for 17.03 in OSS, there is no
|
|
patched version.
|
|
|
|
**You must update to kOps 1.11.1 (or later) if you are running kubernetes <=
|
|
1.11.x to get this fix**
|
|
|
|
However, there is [an alternative](https://seclists.org/oss-sec/2019/q1/134) to
|
|
the patch which is less impactful and requires no source code changes: it is
|
|
possible to mark runc as immutable using `chattr`. Doing so protects against
|
|
the known exploits. The exception is privileged pods (that are effectively root
|
|
anyway) and pods that have explicitly been granted CAP_LINUX_IMMUTABLE in the
|
|
[`securityContext.capabilities`][securityContext.capabilities].
|
|
|
|
**If you are running pods that are not privileged but you grant
|
|
CAP_LINUX_IMMUTABLE in the
|
|
[`securityContext.capabilities`][securityContext.capabilities], and are
|
|
running kubernetes 1.11 (or earlier), you should consider one of the
|
|
alternative fixes listed below**
|
|
|
|
## Summary of fixes that ship with kOps >= 1.11.1
|
|
|
|
* Kubernetes 1.11 (and earlier): we mark runc with the immutable attribute.
|
|
* Kubernetes 1.12 (and later): we install a version of docker that includes a
|
|
fixed runc
|
|
|
|
## Alternative fixes for users of kubernetes 1.11 (or earlier)
|
|
|
|
* Anticipate upgrading to kubernetes 1.12 earlier than previously planned. We are
|
|
accelerating the kOps 1.12 release to facilitate this.
|
|
* Consider replacing the docker version with 18.06.3 or later. Note that this
|
|
will "pin" your docker version and in future you will want to remove this to
|
|
get future docker upgrades. (Do not select docker 18.06.2 on Redhat/Centos,
|
|
that version was mistakenly packaged by Docker without including the fix)
|
|
* Consider replacing just runc - some third parties have backported the fix to
|
|
runc 17.03, and our wonderful community of kOps users has shared their
|
|
approaches to patching runc, see
|
|
[here](https://github.com/kubernetes/kops/issues/6459) and
|
|
[here](https://github.com/kubernetes/kops/issues/6476#issuecomment-465861406).
|
|
|
|
|
|
|
|
[NIST advisory]: https://nvd.nist.gov/vuln/detail/CVE-2019-5736
|
|
[kubernetes advisory]: https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/
|
|
[securityContext.capabilities]: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container
|