DEV Community

Cover image for Vulnerability Identified in Docker & RunC
Cameron Lepper
Cameron Lepper

Posted on

Vulnerability Identified in Docker & RunC

Docker Vulnerability Reported

On Saturday, RedHat posted a new entry in the Common Vulnerabilities and Exposures Database, with the impact level important. The vulnerability could enable a malicious container to be executed, eventually resulting in easy access to the host filesystem.

It defines the weakness as:

"A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system."

The full details can be found here.

The recommendation is to patch RunC ASAP, if you haven't already.

This was shared to me this morning, and came as a bit of a surprise. Does this affect you, or your organisation?

Edit: It has been pointed out to me that the initial publication of this CVE was in February! Thanks @ohffs for that. Hope this blog still stands as a useful resource, and a reminder of the importance of keeping patches up-to-date!

Top comments (8)

Collapse
 
ohffs profile image
ohffs

Is that not the cve that was patched a while back? The publication date is 11th of February?

Hello from Glasgow btw :: waves :: :-)

Collapse
 
leppercameron profile image
Cameron Lepper • Edited

Oh, yes, actually. You're absolutely right. This was sent over to me this morning as a 'new threat' to deal with, and as such I treated it as news. I hadn't spotted the publication date, in my haste to share it! Oops! Thanks - I'm hopeful that, if all else, this post serves as a useful reminder to patch up!

Ah, a fellow Glasgow-er! Wasn't sure how many I'd bump into on here! :)

Collapse
 
ohffs profile image
ohffs

We Glaswegians get everywhere it seems ;-) One day the internet will realise what we're like and ban us ;-)

At the moment we're in the process of going from 'docker for qa' to 'docker for production' so your post caught my eye - I was all ready to sigh and start patching - then the cve number caught my eye and thought 'oh, that's familiar' ;-)

Collapse
 
mykezero profile image
Mykezero

Does anyone have any strategies for being updated when new vulnerabilities are released? I've always wondered how people stay on top of these situations.

Collapse
 
phlash profile image
Phil Ashby

I find a reasonable amount via the Full Disclosure mailing list:
seclists.org/fulldisclosure/

Other sources are my Twitter contacts in the infosec industry, including the official CVE team cve.mitre.org/cve/

Finally - I run Debian on public systems, so their own security patches are a source of alerts.

Collapse
 
ohffs profile image
ohffs

I think, sadly, as with a lot of tech these days it's either 'maybe see something on twitter' or 'saw a blog post the other day' :-/ Docker's own CVE database doesn't inspire much confidence either : docker.com/legal/docker-cve-database

Collapse
 
keithcharlie profile image
Keith Vidal

Container runtime images for Docker that are published in the Azure Marketplace are patched to the latest CVE standards. All VM and container images undergo vulnerability testing prior to publication in Azure Marketplace.

Collapse
 
keithcharlie profile image
Keith Vidal

Patched Docker runtime images have since been republished to the Azure Marketplace. Thanks for posting.