VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.
2. Relevant Products
-VMware Integrated OpenStack with Kubernetes (VIO-K)
-VMware Enterprise PKS (Enterprise PKS)
-VMware vCloud Director Container Service Extension (CSE)
-vSphere Integrated Containers (VIC)
3. Problem Description
VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host's runc binary and execute arbitrary code. Exploitation of this vulnerability requires the attacker to have existing permission to deploy containers or run docker exec. Alternatively, an attacker could trick a user with these permissions into deploying a malicious container or running docker exec for them.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5736 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VMware Enterprise PKS 1.3.3
VMware Enterprise PKS 1.2.10
VMware vCloud Director Container Service Extension 1.2.7
vSphere Inegrated Containers 1.5.1
6. Change log
Initial security advisory following the release of VMware Enterprise PKS 1.3.2 and 1.2.9 on 2019-02-13.
Updated security advisory in conjunction with the release of VMware vCloud Director Container Service Extension 1.2.7 on 2019-02-15.
Updated security advisory in conjunction with the release of vSphere Integrated Containers 1.5.1 on 2019-02-19.
Updated security advisory in conjunction with the release of VMware Enterprise PKS 1.3.3 and 1.2.10 on 2019-02-22. Note: VMware Enterprise PKS 1.3.2 and 1.2.9 were incorrectly listed as resolving CVE-2019-5736 in the original version of this advisory.
E-mail list for product security notifications and announcements:
This Security Advisory is posted to the following lists:
PGP key at:
VMware Security Advisories
VMware Security Response Policy
VMware Lifecycle Support Phases
VMware Security & Compliance Blog
Copyright 2019 VMware Inc. All rights reserved.