CVE-2019-16884

Name of the Vulnerable Software and Affected Versions runc versions through 1.0.0-rc8 Docker versions through 19.03.2-ce

Description The issue is related to a component of AppArmor in the runc tool for running isolated containers, which is associated with shortcomings in the authorization mechanism. This allows a remote attacker to mount a malicious Docker image in the /proc directory. The problem arises due to improper validation of mount targets, enabling a malicious image to mount volumes over sensitive directories like /proc.

Recommendations For runc versions through 1.0.0-rc8, consider disabling the libcontainer/rootfs linux.go function until a patch is available to prevent the bypassing of AppArmor restrictions. For Docker versions through 19.03.2-ce, restrict access to the libcontainer/rootfs linux.go module to minimize the risk of exploitation. As a temporary workaround, avoid using the /proc directory in the affected API endpoints until the issue is resolved.