KCSA-CVE-2019-5736.md

announcement-date: 2019-02-22

id: KCSA-CVE-2019-5736

title: CVE-2019-5736 runc container breakout assessment

description: Impact of CVE-2019-5736 on Kata Containers

potentially-affected-components:

• components: kata-agent version: all

vulnerabilities:

• CVE-ID: CVE-2019-5736

reporters:

• name: Graham Whaley affiliation: VMT member reported:
  • Original report seen on [email protected]
  • oss-sec posting: https://seclists.org/oss-sec/2019/q1/119
  • MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736

issues:

links: - #85

reviews: - no fix required. No PR raised.

reproduce:

• Exploit does not effect Kata Containers.

notes:

• The CVE-2019-5736 does not affect Kata Containers. Kata Containers does use the runc libcontainer library as part of its kata-agent to launch container workloads, but the kata-agent executable is a permanently running application within the Kata Containers VM. Thus, the exit/re-execute cycle utilised by CVE-2019-5736 to execute the injected code is never undertaken.
• It should be noted, if the exploit had escaped from the kata-agent, the exploit code would have been executing inside the Kata Containers VM as root, and would not have direct access to either the host system or other container/pods.
• It is highly likely Kata Containers will vendor in and adopt all relevant libcontainer updates and changes, but given the "copying" nature of some fixes, a performance and resource impact review will be undertaken.