Yesterday (11 Feb 2019), a new vulnerability in runc was announced. This vulnerability allows container escape simply by running a malicious image. When the malicious image is run, it exploits a defect to then overwrite the runc binary on the host, thereby allowing unlimited control of both the host itself and any other containers running on it. Note that there is no need to patch your container images – you should only patch your hosts.
Applying Security Update to Kontena Pharos
CentOS / Redhat
docker
First make sure you have updated Kontena Pharos to version 2.1.5 or newer. Then you can issue pharos up
against existing cluster which will apply updated docker package from Redhat.
cri-o
Update Kontena Pharos to version 2.2.1. This will update cri-o package to the patched version.
Ubuntu
docker
First make sure you have updated Kontena Pharos to version 2.1.5 or newer. Then you can issue pharos up
against existing cluster which will apply updated docker package from Ubuntu.
cri-o
Update Kontena Pharos to version 2.2.1. This will update cri-o package to the patched version.
Debian
docker
Update Kontena Pharos to version 2.2.1. This will update docker-ce package to the patched version.
cri-o
Update Kontena Pharos to version 2.2.1. This will update cri-o package to the patched version.
References
- https://www.openwall.com/lists/oss-security/2019/02/11/2
- https://nvd.nist.gov/vuln/detail/CVE-2019-5736
Photo by Erik Odiin on Unsplash