CVE-2019-5736: Containment Errors (Container Errors)

February 11, 2019 (updated June 3, 2019)

runc allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

References

www.securityfocus.com/bid/106976
bugzilla.suse.com/show_bug.cgi?id=1121967
github.com/docker/docker-ce/releases/tag/v18.09.2
nvd.nist.gov/vuln/detail/CVE-2019-5736
www.exploit-db.com/exploits/46359/
www.exploit-db.com/exploits/46369/

Code Behaviors & Features

Detect and mitigate CVE-2019-5736 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →