PT-2019-5667 · Docker+8 · Docker+9
Adam Iwaniuk
·
Published
2016-08-03
·
Updated
2024-06-15
·
CVE-2019-16884
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:N/I:C/A:N |
Name of the Vulnerable Software and Affected Versions
runc versions through 1.0.0-rc8
Docker versions through 19.03.2-ce
Description
The issue is related to a component of AppArmor in the runc tool for running isolated containers, which is associated with shortcomings in the authorization mechanism. This allows a remote attacker to mount a malicious Docker image in the /proc directory. The problem arises due to improper validation of mount targets, enabling a malicious image to mount volumes over sensitive directories like /proc.
Recommendations
For runc versions through 1.0.0-rc8, consider disabling the
libcontainer/rootfs linux.go function until a patch is available to prevent the bypassing of AppArmor restrictions.
For Docker versions through 19.03.2-ce, restrict access to the libcontainer/rootfs linux.go module to minimize the risk of exploitation.
As a temporary workaround, avoid using the /proc directory in the affected API endpoints until the issue is resolved.Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Apparmor
Centos
Docker
Red Hat
Rocky Linux
Suse
Ubuntu
Runc