What is CVE-2019-19921?

CVE-2019-19921 is a vulnerability found in runc, where an attacker who controls the container image for two containers that share a volume can trick runc into not correctly configuring the container's security labels.

What is the impact of CVE-2019-19921?

The impact of CVE-2019-19921 is that an attacker in control of both containers can exploit the vulnerability to bypass security measures and potentially gain unauthorized access or manipulate container processes.

What is the severity of CVE-2019-19921?

CVE-2019-19921 has a severity level of high.

How can I fix CVE-2019-19921?

To fix CVE-2019-19921, it is recommended to update runc to version 1.0.0-66.rc8.el7_7 or the appropriate patched version provided by your OS or distribution.

Where can I find more information about CVE-2019-19921?

You can find more information about CVE-2019-19921 on CVE.org, NVD, Bugzilla Red Hat, and the Red Hat Errata page.

Vulnerability/
CVE-2019-19921

high

CWE

362 706 41

21/12/2019

12/2/2020

27/5/2021

21/11/2024

CVE-2019-19921: Race Condition

First published: Sat Dec 21 2019(Updated: )

### Impact By crafting a malicious root filesystem (with `/proc` being a symlink to a directory which was inside a volume shared with another running container), an attacker in control of both containers can trick `runc` into not correctly configuring the container's security labels and not correctly masking paths inside `/proc` which contain potentially-sensitive information about the host (or even allow for direct attacks against the host). In order to exploit this bug, an untrusted user must be able to spawn custom containers with custom mount configurations (such that a volume is shared between two containers). It should be noted that we consider this to be a fairly high level of access for an untrusted user -- and we do not recommend allowing completely untrusted users to have such degrees of access without further restrictions. ### Specific Go Package Affected github.com/opencontainers/runc/libcontainer ### Patches This vulnerability has been fixed in `1.0.0-rc10`. It should be noted that the current fix is effectively a hot-fix, and there are known ways for it to be worked around (such as making the entire root filesystem a shared volume controlled by another container). We recommend that users review their access policies to ensure that untrusted users do not have such high levels of controls over container mount configuration. ### Workarounds If you are not providing the ability for untrusted users to configure mountpoints for `runc` (or through a higher-level tool such as `docker run -v`) then you are not vulnerable to this issue. This exploit requires fairly complicated levels of access (which are available for some public clouds but are not necessarily available for all deployments). Additionally, it appears as though it is not possible to exploit this vulnerability through Docker (due to the order of mounts Docker generates). However you should not depend on this, as it may be possible to work around this roadblock. ### Credits This vulnerability was discovered by Cure53, as part of a third-party security audit. ### For more information If you have any questions or comments about this advisory: * [Open an issue](https://github.com/opencontainers/runc/issues/new). * Email us at [dev@opencontainers.org](mailto:dev@opencontainers.org), or [security@opencontainers.org](mailto:security@opencontainers.org) if you think you've found a security bug.

Credit: cve@mitre.org cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
redhat/runc	<0:1.0.0-66.rc8.el7_7	0:1.0.0-66.rc8.el7_7
redhat/runc	<0:1.0.0-63.rc8.rhaos4.1.git3cbe540.el8_0	0:1.0.0-63.rc8.rhaos4.1.git3cbe540.el8_0
redhat/runc	<0:1.0.0-63.rc10.rhaos4.2.gitdc9208a.el8	0:1.0.0-63.rc10.rhaos4.2.gitdc9208a.el8
redhat/runc	<0:1.0.0-66.rc10.rhaos4.3.el7_8	0:1.0.0-66.rc10.rhaos4.3.el7_8
redhat/runc	<1.0.0	1.0.0
Linuxfoundation Runc	<=0.1.1
Linuxfoundation Runc	=1.0.0-rc1
Linuxfoundation Runc	=1.0.0-rc2
Linuxfoundation Runc	=1.0.0-rc3
Linuxfoundation Runc	=1.0.0-rc4
Linuxfoundation Runc	=1.0.0-rc5
Linuxfoundation Runc	=1.0.0-rc6
Linuxfoundation Runc	=1.0.0-rc7
Linuxfoundation Runc	=1.0.0-rc8
Linuxfoundation Runc	=1.0.0-rc9
Debian Debian Linux	=9.0
Debian Debian Linux	=10.0
openSUSE Leap	=15.1
Canonical Ubuntu Linux	=18.04
Canonical Ubuntu Linux	=19.10
Redhat Openshift Container Platform	=4.1
Redhat Openshift Container Platform	=4.2
go/github.com/opencontainers/runc	<1.0.0-rc9.0.20200122160610-2fc03cc11c77	1.0.0-rc9.0.20200122160610-2fc03cc11c77
debian/runc		1.0.0~rc93+ds1-5+deb11u5 1.0.0~rc93+ds1-5+deb11u3 1.1.5+ds1-1+deb12u1 1.1.15+ds1-1

Remedy

https://github.com/opencontainers/runc/issues/2197

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2019-19921?
CVE-2019-19921 is a vulnerability found in runc, where an attacker who controls the container image for two containers that share a volume can trick runc into not correctly configuring the container's security labels.
What is the impact of CVE-2019-19921?
The impact of CVE-2019-19921 is that an attacker in control of both containers can exploit the vulnerability to bypass security measures and potentially gain unauthorized access or manipulate container processes.
What is the severity of CVE-2019-19921?
CVE-2019-19921 has a severity level of high.
How can I fix CVE-2019-19921?
To fix CVE-2019-19921, it is recommended to update runc to version 1.0.0-66.rc8.el7_7 or the appropriate patched version provided by your OS or distribution.
Where can I find more information about CVE-2019-19921?
You can find more information about CVE-2019-19921 on CVE.org, NVD, Bugzilla Red Hat, and the Red Hat Errata page.

collector/redhat-cve
agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2019-19921
agent/software-canonical-lookup
agent/weakness
agent/severity
agent/author
collector/nvd-api
agent/software-canonical-lookup-request
collector/nvd-index
collector/github-advisory-latest
source/GitHub
alias/GHSA-fh74-hm69-rqjw
collector/github-advisory
collector/mitre-cve
source/MITRE
collector/usn-cve
source/Ubuntu
agent/references
agent/remedy
agent/tags
agent/description
agent/event
collector/security-tracker-debian
source/Debian
agent/softwarecombine
collector/nvd-cve
source/NVD
agent/last-modified-date
agent/trending
package-manager/redhat
vendor/linuxfoundation
canonical/linuxfoundation runc
version/linuxfoundation runc/0.1.1
version/linuxfoundation runc/1.0.0-rc1
version/linuxfoundation runc/1.0.0-rc2
version/linuxfoundation runc/1.0.0-rc3
version/linuxfoundation runc/1.0.0-rc4
version/linuxfoundation runc/1.0.0-rc5
version/linuxfoundation runc/1.0.0-rc6
version/linuxfoundation runc/1.0.0-rc7
version/linuxfoundation runc/1.0.0-rc8
version/linuxfoundation runc/1.0.0-rc9
vendor/debian
canonical/debian debian linux
version/debian debian linux/9.0
version/debian debian linux/10.0
vendor/opensuse
canonical/opensuse leap
version/opensuse leap/15.1
vendor/canonical
canonical/canonical ubuntu linux
version/canonical ubuntu linux/18.04
version/canonical ubuntu linux/19.10
vendor/redhat
canonical/redhat openshift container platform
version/redhat openshift container platform/4.1
version/redhat openshift container platform/4.2
package-manager/go
package-manager/debian