Red Hat announces container flaw CVE-2019-5736


Red Hat announced a vulnerability this morning – one that can be exploited if a user runs malicious or modified containers. The flaw in runC (a lightweight portable container runtime) and Docker that this vulnerability exposes allows an attacker to escape a container and access the underlying file system. That might sound bad, but there’s more.

The good news is that this vulnerability cannot be exploited if SELinux is enabled and that this is the default on Red Hat systems. To check whether your Red Hat system is enforcing SELinux, use one of the following commands:

$ /usr/sbin/getenforce
Enforcing <==
$ sestatus
SELinux status: enabled <==
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 31

This vulnerability also requires local access to the system. Affected Red Hat systems include:

  • Red Hat OpenShift Container Platform 3.x
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Enterprise Linux 7

The status of the vulnerability is rated as IMPORTANT. To see descriptions of this and other possible vulnerability security ratings, visit Issue Severity Classification page.

To review SELinux security modes and commands for moving between them, visit this PERMANENT CHANGES IN SELINUX STATES AND MODES.

Instructions to customers will be continuallly updated at updates.