In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade github.com/opencontainers/runc/libcontainer
to version 1.0.0-rc91 or higher.
github.com/opencontainers/runc/libcontainer is a package for a modern container runtime.
Affected versions of this package are vulnerable to Privilege Escalation. runc
's implementation of the linux.resources.devices
list was a black-list by default. This means that users who created their own config.json
objects and didn't prefix a deny-all rule ({"allow": false, "permissions": "rwm"}
or equivalent) were not provided protection by the devices cgroup. This would allow malicious containers (with sufficient privileges) to create arbitrary device inodes (assuming they have CAP_MKNOD) and operate on any device inodes they may have access to (assuming they have regular Unix DAC permissions).
However, most (if not all) programs that make use of runc
include this deny-all rule. This was most likely added before the specification mandated a white-list of devices, and the fact that all programs wrote their own deny-all rule obscured the existence of this bug for several years. In fact, even the specification's examples include a default deny-all rule! We therefore believe that while this is a security bug (and has been fixed as such), it was almost certainly not exploitable in the wild due to the inclusion of default deny-all rules by all known users of runc -- hence why this advisory has low severity.