CVE Vulnerabilities

CVE-2019-5736

This vulnerability is marked as RESERVED by NVD. This means that the CVE-ID is reserved for future use by the CVE Numbering Authority (CNA) or a security researcher, but the details of it are not yet publicly available yet.

This page will reflect the classification results once they are available through NVD.

Any vendor information available is shown as below.

Redhat

CVE-2019-5736 runc: Execution of malicious containers allows for container escape and access to host filesystem

Mitigation

This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.

Affected Software List

NameVendorVersion
OtherRedHat
Red Hat Enterprise Linux 7 ExtrasRedHatrunc-0:1.0.0-59.dev.git2abd837.el7
Red Hat Enterprise Linux 7 ExtrasRedHatdocker-2:1.13.1-91.git07f3374.el7
Red Hat Enterprise Linux 8RedHatcontainer-tools:rhel8-8000020190416221845.2ffa3d27
Red Hat OpenShift Container Platform 3.4RedHatdocker-2:1.12.6-79.git5680db5.el7
Red Hat OpenShift Container Platform 3.5RedHatdocker-2:1.12.6-79.git5680db5.el7
Red Hat OpenShift Container Platform 3.6RedHatdocker-2:1.12.6-79.git5680db5.el7
Red Hat OpenShift Container Platform 3.7RedHatdocker-2:1.12.6-79.git5680db5.el7

Ubuntu

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Affected Software List

NameVendorVersion
Docker.ioUbuntu/cosmic18.06.1-0ubuntu1.2
Docker.ioUbuntu/bionic18.06.1-0ubuntu1.2~18.04.1
Docker.ioUbuntu/trustyreached end-of-life
Docker.ioUbuntu/upstreamTBD
Docker.ioUbuntu/xenial18.06.1-0ubuntu1.2~16.04.1
RuncUbuntu/bionic1.0.0~rc4+dfsg1-6ubuntu0.18.04.1
RuncUbuntu/upstreamTBD
RuncUbuntu/xenial1.0.0~rc2+docker1.13.1-0ubuntu1~16.04.1
RuncUbuntu/cosmic1.0.0~rc4+dfsg1-6ubuntu0.18.10.1