CVE-2019-19921

Name of the Vulnerable Software and Affected Versions runc versions through 1.0.0-rc9 runc version 1.0.0-rc10 is not affected, as it contains the fix for this issue.

Description The issue is related to incorrect access control, leading to escalation of privileges. An attacker must be able to spawn two containers with custom volume-mount configurations and run custom images to exploit this. The vulnerability is related to libcontainer/rootfs linux.go. By crafting a malicious root filesystem, an attacker can trick runc into not correctly configuring the container's security labels and not correctly masking paths inside /proc, which contain potentially-sensitive information about the host. This could allow for direct attacks against the host.

Recommendations For runc versions through 1.0.0-rc9, update to version 1.0.0-rc10 to resolve the issue. As a temporary workaround, consider restricting access to custom volume mount configurations and custom images to minimize the risk of exploitation. Review access policies to ensure that untrusted users do not have high levels of control over container mount configuration.