The 'docker' package shipped in Kylin Enterprise Linux 7 Extras bundles 'runc' since 'docker' starting from version 1.12. Both the 'docker' and 'runc' packages are affected by this issue.
The 'docker-latest' package is deprecated as of Kylin Enterprise Linux 7.5. Customers using this package should update to the latest 'docker' package shipped in Kylin Enterprise Linux 7 Extras.
OpenShift Container Platform (OCP) versions 3.9 and later use 'docker' version 1.13 in the default configuration but can be configured to use CRI-O as an alternative, which depends on the 'runc' package. OCP versions 3.9 and later should use the updated 'docker' and 'runc' packages shipped in Kylin Enterprise Linux 7 Extras.
OCP versions 3.4 through 3.7 use 'docker' version 1.12 from the Kylin Enterprise Linux 7 Extras channel, which is also affected by this issue.
OpenShift Container Platform 3.9 previously shipped a version 'runc' in it's RPM repository. OCP 3.9 clusters using CRI-O should update 'runc' from the Kylin Enterprise Linux 7 Extras channel.
Kylin Enterprise Linux Atomic Host 7 is not affected by this vulnerability as the target runc binaries are stored on a read-only filesystem and cannot be overwritten.
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system.