Update: Added other affected services next to Kubernetes.
Last week a new vulnerability in Docker’s runc was announced: CVE-2019-5736. You can read more about this specific vulnerability and how it affects Kubernetes users in the Kubernetes blog: https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/.
The gist is that when running a process as root (UID 0) inside a container, that process can exploit a bug in runc to gain root privileges on the host running the container. Therefore the most common source of risk for this vulnerability is attacker-controller container images, such as when you use unvetted container images from public repositories.
Affected services
- Concourse
- ECS
- Kubernetes
What are we doing
- Concourse: Concourse workers are being replaced with a patched version (4.2.3).
- ECS: All ECS nodes are being replaced with a patched Amazon Linux version (
ami-0dc3fa046ca0e570c). - Kubernetes: Since we’re using an older version of Docker (17.03.2), we can’t update to the latest version without extensive testing. Therefore we’re currently rolling out a patched
runcbinary for Docker 17.03.2 on all our clusters’ nodes, mitigating this vulnerability completely.
What can you do
Since running as UID 0 inside a container poses a risk, you can specify your Pods to run containers as a non-0 user by setting a securityContext.runAsUser in the Pod spec. More info can be found in the Kubernetes blog post and the Kubernetes documentation.