1. Summary
VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.
2. Relevant Products
-VMware Integrated OpenStack with Kubernetes (VIO-K)
-VMware Enterprise PKS (Enterprise PKS)
-VMware vCloud Director Container Service Extension (CSE)
-vSphere Integrated Containers (VIC)
3. Problem Description
VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host's runc binary and execute arbitrary code. Exploitation of this vulnerability requires the attacker to have existing permission to deploy containers or run docker exec. Alternatively, an attacker could trick a user with these permissions into deploying a malicious container or running docker exec for them.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5736 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
Sign up for Security Advisories
4. Solution
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware Enterprise PKS 1.3.3
Downloads:
https://network.pivotal.io/products/pivotal-container-service/#/releases/309133
Documentation:
https://docs.vmware.com/en/VMware-Pivotal-Container-Service/1.3/rn/VMware-PKS-13-Release-Notes.html
VMware Enterprise PKS 1.2.10
Downloads:
https://network.pivotal.io/products/pivotal-container-service/#/releases/309126
Documentation:
https://docs.vmware.com/en/VMware-Pivotal-Container-Service/1.2/rn/VMware-PKS-12-Release-Notes.html
VMware vCloud Director Container Service Extension 1.2.7
Downloads:
https://pypi.org/project/container-service-extension/1.2.7/
Documentation:
https://vmware.github.io/container-service-extension/RELEASE_NOTES.html
vSphere Inegrated Containers 1.5.1
Downloads:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere_integrated_containers/1_5
Documentation:
https://docs.vmware.com/en/VMware-vSphere-Integrated-Containers/1.5.1/rn/VMware-vSphere-Integrated-Containers-151-Release-Notes.html
6. Change log
2019-02-15: VMSA-2019-0001
Initial security advisory following the release of VMware Enterprise PKS 1.3.2 and 1.2.9 on 2019-02-13.
2019-02-15: VMSA-2019-0001.1
Updated security advisory in conjunction with the release of VMware vCloud Director Container Service Extension 1.2.7 on 2019-02-15.
2019-02-19: VMSA-2019-0001.2
Updated security advisory in conjunction with the release of vSphere Integrated Containers 1.5.1 on 2019-02-19.
2019-02-22: VMSA-2019-0001.3
Updated security advisory in conjunction with the release of VMware Enterprise PKS 1.3.3 and 1.2.10 on 2019-02-22. Note: VMware Enterprise PKS 1.3.2 and 1.2.9 were incorrectly listed as resolving CVE-2019-5736 in the original version of this advisory.
7. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2019 VMware Inc. All rights reserved.