First pass on a blog post about CVE-2019-5736. #12592
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
size/M
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit cbb745c https://deploy-preview-12592--kubernetes-io-master-staging.netlify.com |
zparnold
reviewed
Feb 12, 2019
zparnold
reviewed
Feb 12, 2019
My mistake deftly caught by @zparnold. Co-Authored-By: coderanger <[email protected]>
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kbarnard10 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
tallclair
reviewed
Feb 12, 2019
|
|
||
| While full details are still embargoed to give people time to patch, the rough version is that when running a process as root (UID 0) inside a container, that process can exploit a bug in runc to gain root privileges on the host running the container. This then allows them unlimited access to the server as well as any other containers on that server. | ||
|
|
||
| If the process inside the container is either trusted (something you know is not hostile) or is not running as UID 0, then the vulnerability does not apply. It can also be prevented by SELinux, if an appropriate policy has been applied. RedHat Enterprise Linux, CentOS, and Fedora all include appropriate SELinux permissions with their packages and so are believed to be unaffected. |
There was a problem hiding this comment.
The official announcement explicitly calls out that the default Fedora policy is still vulnerable. Any reason to think otherwise?
tallclair
reviewed
Feb 12, 2019
|
|
||
| #### Google Container Engine (GKE) | ||
|
|
||
| Google has issued a [security bulletin](https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc) with more detailed information but in short, if you are using the default GKE node image then you are safe. If you are using an Ubuntu or CoreOS node image then you will need to mitigate or upgrade to an image with a fixed version of runc. |
There was a problem hiding this comment.
Note that GKE does not support running with CoreOS images.
|
@coderanger Thanks for the right up. Would you mind correcting the details I commented on? |
kwiesmueller
pushed a commit
to kwiesmueller/website
that referenced
this pull request
Feb 28, 2019
* First pass on a blog post about CVE-2019-5736. * Clarify that k8s is not the problem. * Fix example of pinning to an image hash. My mistake deftly caught by @zparnold. Co-Authored-By: coderanger <[email protected]> * Add links to the rest of the notices or releases. * Add ways to get more info. * RHEL link for those that don't selinux. * Link to Rancher's back ports.
krmayankk
pushed a commit
to krmayankk/kubernetes.github.io
that referenced
this pull request
Mar 11, 2019
* First pass on a blog post about CVE-2019-5736. * Clarify that k8s is not the problem. * Fix example of pinning to an image hash. My mistake deftly caught by @zparnold. Co-Authored-By: coderanger <[email protected]> * Add links to the rest of the notices or releases. * Add ways to get more info. * RHEL link for those that don't selinux. * Link to Rancher's back ports.
yagonobre
pushed a commit
to yagonobre/website
that referenced
this pull request
Mar 14, 2019
* First pass on a blog post about CVE-2019-5736. * Clarify that k8s is not the problem. * Fix example of pinning to an image hash. My mistake deftly caught by @zparnold. Co-Authored-By: coderanger <[email protected]> * Add links to the rest of the notices or releases. * Add ways to get more info. * RHEL link for those that don't selinux. * Link to Rancher's back ports.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Trying to get info out to Kubernetes users so they have some guidance.