VMSA-2019-0001.3
VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.
VMware Security Advisory
1. Summary
VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.
2. Relevant Products
-VMware Integrated OpenStack with Kubernetes (VIO-K)
-VMware Enterprise PKS (Enterprise PKS)
-VMware vCloud Director Container Service Extension (CSE)
-vSphere Integrated Containers (VIC)
3. Problem Description
VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host's runc binary and execute arbitrary code. Exploitation of this vulnerability requires the attacker to have existing permission to deploy containers or run docker exec. Alternatively, an attacker could trick a user with these permissions into deploying a malicious container or running docker exec for them.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5736 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
4. Solution
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware Enterprise PKS 1.3.3
Downloads:
https://network.pivotal.io/products/pivotal-container-service/#/releases/309133
Documentation:
https://docs.vmware.com/en/VMware-Pivotal-Container-Service/1.3/rn/VMware-PKS-13-Release-Notes.html
VMware Enterprise PKS 1.2.10
Downloads:
https://network.pivotal.io/products/pivotal-container-service/#/releases/309126
Documentation:
https://docs.vmware.com/en/VMware-Pivotal-Container-Service/1.2/rn/VMware-PKS-12-Release-Notes.html
VMware vCloud Director Container Service Extension 1.2.7
Downloads:
https://pypi.org/project/container-service-extension/1.2.7/
Documentation:
https://vmware.github.io/container-service-extension/RELEASE_NOTES.html
vSphere Inegrated Containers 1.5.1
Downloads:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere_integrated_containers/1_5
Documentation:
https://docs.vmware.com/en/VMware-vSphere-Integrated-Containers/1.5.1/rn/VMware-vSphere-Integrated-Containers-151-Release-Notes.html
6. Change log
2019-02-15: VMSA-2019-0001
Initial security advisory following the release of VMware Enterprise PKS 1.3.2 and 1.2.9 on 2019-02-13.
2019-02-15: VMSA-2019-0001.1
Updated security advisory in conjunction with the release of VMware vCloud Director Container Service Extension 1.2.7 on 2019-02-15.
2019-02-19: VMSA-2019-0001.2
Updated security advisory in conjunction with the release of vSphere Integrated Containers 1.5.1 on 2019-02-19.
2019-02-22: VMSA-2019-0001.3
Updated security advisory in conjunction with the release of VMware Enterprise PKS 1.3.3 and 1.2.10 on 2019-02-22. Note: VMware Enterprise PKS 1.3.2 and 1.2.9 were incorrectly listed as resolving CVE-2019-5736 in the original version of this advisory.
7. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2019 VMware Inc. All rights reserved.