CVE-2019-5736 - Rolling out patched runc

Update: Added other affected services next to Kubernetes.

Last week a new vulnerability in Docker’s runc was announced: CVE-2019-5736. You can read more about this specific vulnerability and how it affects Kubernetes users in the Kubernetes blog:

The gist is that when running a process as root (UID 0) inside a container, that process can exploit a bug in runc to gain root privileges on the host running the container. Therefore the most common source of risk for this vulnerability is attacker-controller container images, such as when you use unvetted container images from public repositories.

Affected services

  • Concourse
  • ECS
  • Kubernetes

What are we doing

What can you do

Since running as UID 0 inside a container poses a risk, you can specify your Pods to run containers as a non-0 user by setting a securityContext.runAsUser in the Pod spec. More info can be found in the Kubernetes blog post and the Kubernetes documentation.