Race Condition Affecting github.com/opencontainers/runc/libcontainer package, versions <1.0.0-rc10
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMOPENCONTAINERSRUNCLIBCONTAINER-540485
- published 2 Jan 2020
- disclosed 24 Dec 2019
- credit Unknown
Introduced: 24 Dec 2019
CVE-2019-19921 Open this link in a new tabHow to fix?
Upgrade github.com/opencontainers/runc/libcontainer to version 1.0.0-rc10 or higher.
Overview
github.com/opencontainers/runc/libcontainer is a package for a modern container runtime.
Affected versions of this package are vulnerable to Race Condition an attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization, by adding a symlink to the rootfs that points to a directory on the volume. The second container won't be able to see the actual mount, but it can race it by modifying the mount point on the volume.
This can be exploited for a full container breakout by racing readonly/mask mounts, allowing writes to dangerous paths like /proc/sys/kernel/core_pattern.