. home.aspx



Firms Urged to Patch Serious Container Runtime Flaw

February 12, 2019 / Phil Muncaster

Enterprises have been urged to patch a serious flaw in runc, the default runtime for Docker and Kubernetes, and ensure they have SELinux enabled. Aleksa Sarai — one of the maintainers for runc — made the initial announcement on Tuesday, attributing the discovery to researchers Adam Iwaniuk and Borys Poplawski. The runc runtime also supports containerd, Podman, CRI-O and countless other container offerings. “The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,” said Sarai. “The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: creating a new container using an attacker-controlled image; attaching (docker exec) into an existing container which the attacker had previous write access to.” RedHat senior principal pr...