Yesterday (11 Feb 2019), a new vulnerability in runc was announced. This vulnerability allows container escape simply by running a malicious image. When the malicious image is run, it exploits a defect to then overwrite the runc binary on the host, thereby allowing unlimited control of both the host itself and any other containers running on it. Note that there is no need to patch your container images – you should only patch your hosts.

Applying Security Update to Kontena Pharos

CentOS / Redhat

docker

First make sure you have updated Kontena Pharos to version 2.1.5 or newer. Then you can issue pharos up against existing cluster which will apply updated docker package from Redhat.

cri-o

Update Kontena Pharos to version 2.2.1. This will update cri-o package to the patched version.

Ubuntu

docker

First make sure you have updated Kontena Pharos to version 2.1.5 or newer. Then you can issue pharos up against existing cluster which will apply updated docker package from Ubuntu.

cri-o

Update Kontena Pharos to version 2.2.1. This will update cri-o package to the patched version.

Debian

docker

Update Kontena Pharos to version 2.2.1. This will update docker-ce package to the patched version.

cri-o

Update Kontena Pharos to version 2.2.1. This will update cri-o package to the patched version.

References

Photo by Erik Odiin on Unsplash