CVE-2019-5736: OS Command Injection
First published: Thu Jan 10 2019(Updated: )
runc has a vulnerability in the usage of system file descriptors that allows for container escape and access to the host filesystem. An attacker can exploit this by convincing users to run malicious or modified containers on their systems.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/runc | <1.0.0~ | 1.0.0~ |
| ubuntu/runc | <1.0.0~ | 1.0.0~ |
| ubuntu/runc | <1.0.0~ | 1.0.0~ |
| ubuntu/docker.io | <18.06.1-0ubuntu1.2~18.04.1 | 18.06.1-0ubuntu1.2~18.04.1 |
| ubuntu/docker.io | <18.06.1-0ubuntu1.2 | 18.06.1-0ubuntu1.2 |
| ubuntu/docker.io | <18.06.1-0ubuntu1.2~16.04.1 | 18.06.1-0ubuntu1.2~16.04.1 |
| debian/lxc | 1:3.1.0+really3.0.3-8 1:3.1.0+really3.0.3-8+deb10u1 1:4.0.6-2+deb11u2 1:5.0.2-1+deb12u2 1:5.0.3-2 | |
| debian/runc | 1.0.0~rc6+dfsg1-3 1.0.0~rc6+dfsg1-3+deb10u3 1.0.0~rc93+ds1-5+deb11u3 1.1.5+ds1-1+deb12u1 1.1.12+ds1-1 | |
| Docker Docker | <18.09.2 | |
| Linuxfoundation Runc | <=0.1.1 | |
| Linuxfoundation Runc | =1.0.0-rc1 | |
| Linuxfoundation Runc | =1.0.0-rc2 | |
| Linuxfoundation Runc | =1.0.0-rc3 | |
| Linuxfoundation Runc | =1.0.0-rc4 | |
| Linuxfoundation Runc | =1.0.0-rc5 | |
| Linuxfoundation Runc | =1.0.0-rc6 | |
| Redhat Container Development Kit | =3.7 | |
| Redhat Openshift | =3.4 | |
| Redhat Openshift | =3.5 | |
| Redhat Openshift | =3.6 | |
| Redhat Openshift | =3.7 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Google Kubernetes Engine | ||
| Linuxcontainers Lxc | <3.2.0 | |
| Hp Onesphere | ||
| Netapp Hci Management Node | ||
| Netapp Solidfire | ||
| Apache Mesos | >=1.4.0<1.4.3 | |
| Apache Mesos | >=1.6.0<1.6.2 | |
| Apache Mesos | >=1.7.0<1.7.2 | |
| openSUSE Backports SLE | =15.0 | |
| openSUSE Backports SLE | =15.0-sp1 | |
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =42.3 | |
| D2iq Kubernetes Engine | <2.2.0-1.13.3 | |
| D2iq Dc\/os | <1.10.10 | |
| D2iq Dc\/os | >=1.10.11<1.11.9 | |
| D2iq Dc\/os | >=1.11.10<1.12.1 | |
| Fedoraproject Fedora | =29 | |
| Fedoraproject Fedora | =30 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =18.10 | |
| Canonical Ubuntu Linux | =19.04 | |
| Microfocus Service Management Automation | =2018.02 | |
| Microfocus Service Management Automation | =2018.05 | |
| Microfocus Service Management Automation | =2018.08 | |
| Microfocus Service Management Automation | =2018.11 |
Remedy
https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html
- http://packetstormsecurity.com/files/163339/Docker-Container-Escape.html
- http://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html
- http://www.openwall.com/lists/oss-security/2019/03/23/1
- http://www.openwall.com/lists/oss-security/2019/06/28/2
- http://www.openwall.com/lists/oss-security/2019/07/06/3
- http://www.openwall.com/lists/oss-security/2019/07/06/4
- http://www.openwall.com/lists/oss-security/2019/10/24/1
- http://www.openwall.com/lists/oss-security/2019/10/29/3
- http://www.securityfocus.com/bid/106976
- https://access.redhat.com/errata/RHSA-2019:0303
- https://access.redhat.com/errata/RHSA-2019:0304
- https://access.redhat.com/errata/RHSA-2019:0401
- https://access.redhat.com/errata/RHSA-2019:0408
- https://access.redhat.com/errata/RHSA-2019:0975
- https://access.redhat.com/security/cve/cve-2019-5736
- https://access.redhat.com/security/vulnerabilities/runcescape
- https://aws.amazon.com/security/security-bulletins/AWS-2019-002/
- https://azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/
- https://azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/
- https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
- https://brauner.github.io/2019/02/12/privileged-containers.html
- https://bugzilla.suse.com/show_bug.cgi?id=1121967
- https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc
- https://github.com/Frichetten/CVE-2019-5736-PoC
- https://github.com/docker/docker-ce/releases/tag/v18.09.2
- https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
- https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d
- https://github.com/q3k/cve-2019-5736-poc
- https://github.com/rancher/runc-cve
- https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/
- https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3@%3Cdev.dlab.apache.org%3E
- https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706@%3Cuser.mesos.apache.org%3E
- https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46@%3Cdev.dlab.apache.org%3E
- https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e@%3Cdev.dlab.apache.org%3E
- https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3E
- https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587@%3Cdev.dlab.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/
- https://security.gentoo.org/glsa/202003-21
- https://security.netapp.com/advisory/ntap-20190307-0008/
- https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03913en_us
- https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc
- https://usn.ubuntu.com/4048-1/
- https://www.exploit-db.com/exploits/46359/
- https://www.exploit-db.com/exploits/46369/
- https://www.openwall.com/lists/oss-security/2019/02/11/2
- https://www.synology.com/security/advisory/Synology_SA_19_06
- https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1520029&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1520029&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1520030&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1520030&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1674489
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1674490
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1674491
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1674493
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1674492
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1674488
- https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1676798
- https://seclists.org/oss-sec/2019/q1/119
- https://bugzilla.redhat.com/show_bug.cgi?id=1664908
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03913en_us
- https://launchpad.net/bugs/cve/CVE-2019-5736
- https://security-tracker.debian.org/tracker/CVE-2019-5736
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
- https://nvd.nist.gov/vuln/detail/CVE-2019-5736
- https://ubuntu.com/security/CVE-2019-5736
- https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E
- https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706%40%3Cuser.mesos.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/
- https://lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e%40%3Cdev.dlab.apache.org%3E
- https://lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46%40%3Cdev.dlab.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/
- https://lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3%40%3Cdev.dlab.apache.org%3E
- https://lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587%40%3Cdev.dlab.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- http://www.openwall.com/lists/oss-security/2024/01/31/6
- http://www.openwall.com/lists/oss-security/2024/02/01/1
- http://www.openwall.com/lists/oss-security/2024/02/02/3
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2019-5736.
What is the affected software?
The affected software includes Docker before version 18.09.2, Linuxfoundation Runc before version 1.0.0-rc6, and other products.
How can an attacker exploit this vulnerability?
An attacker can exploit this vulnerability by executing a command as root within one of the affected containers to overwrite the host runc binary and gain root access on the host.
What is the severity rating of this vulnerability?
The severity rating of this vulnerability is critical with a CVSS score of 8.6.
Are there any references related to this vulnerability?
Yes, you can find more information about this vulnerability in the following references: [Reference 1](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1520029&action=diff), [Reference 2](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1520029&action=edit), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1520030&action=diff).
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-5736
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/severity
- agent/first-publish-date
- agent/description
- agent/author
- agent/last-modified-date
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- package-manager/ubuntu
- package-manager/debian
- vendor/docker
- canonical/docker docker
- vendor/linuxfoundation
- canonical/linuxfoundation runc
- version/linuxfoundation runc/0.1.1
- version/linuxfoundation runc/1.0.0-rc1
- version/linuxfoundation runc/1.0.0-rc2
- version/linuxfoundation runc/1.0.0-rc3
- version/linuxfoundation runc/1.0.0-rc4
- version/linuxfoundation runc/1.0.0-rc5
- version/linuxfoundation runc/1.0.0-rc6
- vendor/redhat
- canonical/redhat container development kit
- version/redhat container development kit/3.7
- canonical/redhat openshift
- version/redhat openshift/3.4
- version/redhat openshift/3.5
- version/redhat openshift/3.6
- version/redhat openshift/3.7
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- vendor/google
- canonical/google kubernetes engine
- vendor/linuxcontainers
- canonical/linuxcontainers lxc
- vendor/hp
- canonical/hp onesphere
- vendor/netapp
- canonical/netapp hci management node
- canonical/netapp solidfire
- vendor/apache
- canonical/apache mesos
- version/apache mesos/1.4.0
- version/apache mesos/1.5.0
- version/apache mesos/1.6.0
- version/apache mesos/1.7.0
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0
- version/opensuse backports sle/15.0-sp1
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/15.1
- version/opensuse leap/42.3
- vendor/d2iq
- canonical/d2iq kubernetes engine
- canonical/d2iq dc\/os
- version/d2iq dc\/os/1.10.11
- version/d2iq dc\/os/1.11.10
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/29
- version/fedoraproject fedora/30
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/18.10
- version/canonical ubuntu linux/19.04
- vendor/microfocus
- canonical/microfocus service management automation
- version/microfocus service management automation/2018.02
- version/microfocus service management automation/2018.05
- version/microfocus service management automation/2018.08
- version/microfocus service management automation/2018.11