公告ID: KYLIN-2019-5736
安全等级: 重要
产品: Kylin V3
发布日期: 2019年2月11日
CVE: CVE-2019-5736
CVSS3评分: 7.7
概述:
The 'docker' package shipped in Kylin Enterprise Linux 7 Extras bundles 'runc' since 'docker' starting from version 1.12. Both the 'docker' and 'runc' packages are affected by this issue. The 'docker-latest' package is deprecated as of Kylin Enterprise Linux 7.5. Customers using this package should update to the latest 'docker' package shipped in Kylin Enterprise Linux 7 Extras. OpenShift Container Platform (OCP) versions 3.9 and later use 'docker' version 1.13 in the default configuration but can be configured to use CRI-O as an alternative, which depends on the 'runc' package. OCP versions 3.9 and later should use the updated 'docker' and 'runc' packages shipped in Kylin Enterprise Linux 7 Extras. OCP versions 3.4 through 3.7 use 'docker' version 1.12 from the Kylin Enterprise Linux 7 Extras channel, which is also affected by this issue. OpenShift Container Platform 3.9 previously shipped a version 'runc' in it's RPM repository. OCP 3.9 clusters using CRI-O should update 'runc' from the Kylin Enterprise Linux 7 Extras channel. Kylin Enterprise Linux Atomic Host 7 is not affected by this vulnerability as the target runc binaries are stored on a read-only filesystem and cannot be overwritten. 描述:
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. 系统版本:
KYLIN 3.3.x
KYLIN 3.3.x
受影响包列表:
docker-1.12
docker-latest