A high severity vulnerability to runC was discovered this week that could have an impact on the security of customers running with virtual or cloud service environments. Customers utilizing container services within their cloud service are most likely affected by this vulnerability and should verify appropriate measures have been taken to mitigate the threat.
To learn more about this vulnerability, please visit: NIST: CVE-2019-5736
The ‘runC’ tool that is affected is at the center of the Linux container running processes utilized by tools such as Docker, Containerd, and CRI-O. In addition, tools such as Kubernetes which sits on top of these products could also be affected. The vulnerability could be exploited to gain root privileges on the host server running the container service and in turn gain access to other containers and services.
A-LIGN recommends upgrading to the latest patched version of runC that corrects this issue. Note this issue can also be prevented via policy and enabling appropriate SELinux permissions on host servers. Customers should verify with their cloud service provider how this vulnerability affects their specific environment.
For more information, please visit: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736