Adam Iwaniuk

**Name of the Vulnerable Software and Affected Versions** runc versions prior to 1.0-rc6 Docker versions prior to 18.09.2 **Description** The issue is related to file-descriptor mishandling in the runc tool, which can be exploited to execute arbitrary code. This can allow an attacker to overwrite the host runc binary and gain root access. The vulnerability can be exploited by executing a command as root within a container, either by creating a new container with an attacker-controlled image or by attaching to an existing container with docker exec. The vulnerability affects Azure Container Instances (ACI) and can be used to escape from a container and gain access to other containers in the same cluster. **Recommendations** For runc versions prior to 1.0-rc6: Update to a version later than 1.0-rc6 to fix the file-descriptor mishandling issue. For Docker versions prior to 18.09.2: Update to a version later than 18.09.2 to ensure that the runc tool is updated to a secure version. As a temporary workaround, consider disabling the execution of commands as root within containers to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** runc versions through 1.0.0-rc8 Docker versions through 19.03.2-ce **Description** The issue is related to a component of AppArmor in the runc tool for running isolated containers, which is associated with shortcomings in the authorization mechanism. This allows a remote attacker to mount a malicious Docker image in the /proc directory. The problem arises due to improper validation of mount targets, enabling a malicious image to mount volumes over sensitive directories like /proc. **Recommendations** For runc versions through 1.0.0-rc8, consider disabling the `libcontainer/rootfs linux.go` function until a patch is available to prevent the bypassing of AppArmor restrictions. For Docker versions through 19.03.2-ce, restrict access to the `libcontainer/rootfs linux.go` module to minimize the risk of exploitation. As a temporary workaround, avoid using the `/proc` directory in the affected API endpoints until the issue is resolved.