Skip to content

Commit

Permalink
Some corrections identified by @tallclair. (kubernetes#12605)
Browse files Browse the repository at this point in the history
  • Loading branch information
coderanger authored and Kevin Wiesmüller committed Feb 28, 2019
1 parent d2641f0 commit 988641a
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions content/en/blog/_posts/2019-02-11-runc-CVE-2019-5736.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Kubernetes in turn sits on top of those tools, and so while no part of Kubernete

While full details are still embargoed to give people time to patch, the rough version is that when running a process as root (UID 0) inside a container, that process can exploit a bug in runc to gain root privileges on the host running the container. This then allows them unlimited access to the server as well as any other containers on that server.

If the process inside the container is either trusted (something you know is not hostile) or is not running as UID 0, then the vulnerability does not apply. It can also be prevented by SELinux, if an appropriate policy has been applied. RedHat Enterprise Linux, CentOS, and Fedora all include appropriate SELinux permissions with their packages and so are believed to be unaffected.
If the process inside the container is either trusted (something you know is not hostile) or is not running as UID 0, then the vulnerability does not apply. It can also be prevented by SELinux, if an appropriate policy has been applied. RedHat Enterprise Linux and CentOS both include appropriate SELinux permissions with their packages and so are believed to be unaffected if SELinux is enabled.

The most common source of risk is attacker-controller container images, such as unvetted images from public repositories.

Expand Down Expand Up @@ -69,7 +69,7 @@ Some platforms have also posted more specific instructions:

#### Google Container Engine (GKE)

Google has issued a [security bulletin](https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc) with more detailed information but in short, if you are using the default GKE node image then you are safe. If you are using an Ubuntu or CoreOS node image then you will need to mitigate or upgrade to an image with a fixed version of runc.
Google has issued a [security bulletin](https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc) with more detailed information but in short, if you are using the default GKE node image then you are safe. If you are using an Ubuntu node image then you will need to mitigate or upgrade to an image with a fixed version of runc.

#### Amazon Elastic Container Service for Kubernetes (EKS)

Expand Down

0 comments on commit 988641a

Please sign in to comment.