VMSA-2019-0001.3

VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.

1. Summary

VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.

2. Relevant Products

-VMware Integrated OpenStack with Kubernetes (VIO-K)
-VMware Enterprise PKS (Enterprise PKS)
-VMware vCloud Director Container Service Extension (CSE)
-vSphere Integrated Containers (VIC)
 

3. Problem Description
 

VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host's runc binary and execute arbitrary code. Exploitation of this vulnerability requires the attacker to have existing permission to deploy containers or run docker exec. Alternatively, an attacker could trick a user with these permissions into deploying a malicious container or running docker exec for them.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5736 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
 

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

VMware Enterprise PKS 1.3.3

Downloads:
https://network.pivotal.io/products/pivotal-container-service/#/releases/309133
Documentation:
https://docs.vmware.com/en/VMware-Pivotal-Container-Service/1.3/rn/VMware-PKS-13-Release-Notes.html

VMware Enterprise PKS 1.2.10

Downloads:

https://network.pivotal.io/products/pivotal-container-service/#/releases/309126

Documentation:
https://docs.vmware.com/en/VMware-Pivotal-Container-Service/1.2/rn/VMware-PKS-12-Release-Notes.html

VMware vCloud Director Container Service Extension 1.2.7

Downloads:
https://pypi.org/project/container-service-extension/1.2.7/
Documentation:
https://vmware.github.io/container-service-extension/RELEASE_NOTES.html

vSphere Inegrated Containers 1.5.1
 

Downloads:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere_integrated_containers/1_5
Documentation:
https://docs.vmware.com/en/VMware-vSphere-Integrated-Containers/1.5.1/rn/VMware-vSphere-Integrated-Containers-151-Release-Notes.html

5. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
https://pivotal.io/security/cve-2019-5736

6. Change log

2019-02-15: VMSA-2019-0001
Initial security advisory following the release of VMware Enterprise PKS 1.3.2 and 1.2.9 on 2019-02-13.

2019-02-15: VMSA-2019-0001.1
Updated security advisory in conjunction with the release of VMware vCloud Director Container Service Extension 1.2.7 on 2019-02-15.

2019-02-19: VMSA-2019-0001.2
Updated security advisory in conjunction with the release of vSphere Integrated Containers 1.5.1 on 2019-02-19.

2019-02-22: VMSA-2019-0001.3
Updated security advisory in conjunction with the release of VMware Enterprise PKS 1.3.3 and 1.2.10 on 2019-02-22. Note: VMware Enterprise PKS 1.3.2 and 1.2.9 were incorrectly listed as resolving CVE-2019-5736 in the original version of this advisory.

7. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

VMware Security Advisories

https://www.vmware.com/security/advisories

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

Twitter

https://twitter.com/VMwareSRC

Copyright 2019 VMware Inc. All rights reserved.