VMSA-2019-0001.3

VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.

VMware Security Advisory
 
VMware Security Advisory Advisory ID:
 VMSA-2019-0001.3
VMware Security Advisory Severity:
 Important
VMware Security Advisory Synopsis:
 VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.
VMware Security Advisory Issue date:
 2019-02-15
VMware Security Advisory Updated on:
 2019-02-22
VMware Security Advisory CVE numbers:
 CVE-2019-5736


1. Summary

VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.

 

2. Relevant Products

-VMware Integrated OpenStack with Kubernetes (VIO-K)
-VMware Enterprise PKS (Enterprise PKS)
-VMware vCloud Director Container Service Extension (CSE)
-vSphere Integrated Containers (VIC)
 

3. Problem Description
 

VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host's runc binary and execute arbitrary code. Exploitation of this vulnerability requires the attacker to have existing permission to deploy containers or run docker exec. Alternatively, an attacker could trick a user with these permissions into deploying a malicious container or running docker exec for them.


The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5736 to this issue.

 

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
 

VMware Product Product Version Running On Severity Replace_with/Apply_Patch Mitigation/Workaround
VIO-K 5.x Any Important Patch Pending None
Enterprise PKS
1.3.x Any Important 1.3.3 None
Enterprise PKS
1.2.x Any Important 1.2.10 None
CSE
1.x Any Important 1.2.7 None
VIC 1.x Any Important 1.5.1 None

6. Change log

 

2019-02-15: VMSA-2019-0001
Initial security advisory following the release of VMware Enterprise PKS 1.3.2 and 1.2.9 on 2019-02-13.

2019-02-15: VMSA-2019-0001.1
Updated security advisory in conjunction with the release of VMware vCloud Director Container Service Extension 1.2.7 on 2019-02-15.

2019-02-19: VMSA-2019-0001.2
Updated security advisory in conjunction with the release of vSphere Integrated Containers 1.5.1 on 2019-02-19.

2019-02-22: VMSA-2019-0001.3
Updated security advisory in conjunction with the release of VMware Enterprise PKS 1.3.3 and 1.2.10 on 2019-02-22. Note: VMware Enterprise PKS 1.3.2 and 1.2.9 were incorrectly listed as resolving CVE-2019-5736 in the original version of this advisory.

 

7. Contact

 

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

 

This Security Advisory is posted to the following lists:

  security-announce@lists.vmware.com

  bugtraq@securityfocus.com

  fulldisclosure@seclists.org

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

 

VMware Security Advisories

https://www.vmware.com/security/advisories

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2019 VMware Inc. All rights reserved.