Runc and CVE-2019-5736
Authors: Kubernetes Product Security Committee
This morning
Very briefly, runc is the low-level tool which does the heavy lifting of spawning a Linux container. Other tools like Docker, Containerd, and CRI-O sit on top of runc to deal with things like data formatting and serialization, but runc is at the heart of all of these systems. Kubernetes in turn sits on top of those tools, and so while no part of Kubernetes itself is vulnerable, most Kubernetes installations are using runc under the hood. While full details are still embargoed to give people time to patch, the rough version is that when running a process as root (UID 0) inside a container, that process can exploit a bug in runc to gain root privileges on the host running the container. This then allows them unlimited access to the server as well as any other containers on that server. If the process inside the container is either trusted (something you know is not hostile) or is not running as UID 0, then the vulnerability does not apply. It can also be prevented by SELinux, if an appropriate policy has been applied. RedHat Enterprise Linux and CentOS both include appropriate SELinux permissions with their packages and so are believed to be unaffected if SELinux is enabled. The most common source of risk is attacker-controller container images, such as unvetted images from public repositories. As with all security issues, the two main options are to mitigate the vulnerability or upgrade your version of runc to one that includes the fix. As the exploit requires UID 0 within the container, a direct mitigation is to ensure all your containers are running as a non-0 user. This can be set within the container image, or via your pod specification: This can also be enforced globally using a PodSecurityPolicy: Setting a policy like this is highly encouraged given the overall risks of running as UID 0 inside a container. Another potential mitigation is to ensure all your container images are vetted and trusted. This can be accomplished by building all your images yourself, or by vetting the contents of an image and then pinning to the image version hash ( Upgrading runc can generally be accomplished by upgrading the package Some platforms have also posted more specific instructions: Google has issued a
Amazon has also issued a
Microsoft has issued a
Kops has issued an
We don't have specific confirmation that Docker for Mac and Docker for Windows are vulnerable, however it seems likely. Docker has released a fix in
If you are unable to upgrade Docker, the Rancher team has provided backports of the fix for many older versions at
If you have any further questions about how this vulnerability impacts Kubernetes, please join us at discuss.kubernetes.io.What is runc?
What is the vulnerability?
What should i do?
---
apiVersion: v1
kind: Pod
metadata:
name: run-as-uid-1000
spec:
securityContext:
runAsUser: 1000
# ...
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: non-root
spec:
privileged: false
allowPrivilegeEscalation: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
image: external/someimage@sha256:7832659873hacdef
).runc
for your distribution or by upgrading your OS image if using immutable images. This is a list of known safe versions for various distributions and platforms:Google Container Engine (GKE)
Amazon Elastic Container Service for Kubernetes (EKS)
Azure Kubernetes Service (AKS)
Kops
Docker
Getting more information