runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.6 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H | 1.8 | 6.0 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| netapp | hci_management_node | - |
| redhat | openshift | 3.4 |
| opensuse | leap | 15.1 |
| hp | onesphere | - |
| opensuse | leap | 42.3 |
| opensuse | leap | 15.0 |
| redhat | enterprise_linux | 8.0 |
| canonical | ubuntu_linux | 16.04 |
| redhat | openshift | 3.7 |
| linuxfoundation | runc | 1.0.0 |
| d2iq | dc/os | * |
| linuxcontainers | lxc | * |
| canonical | ubuntu_linux | 18.10 |
| linuxfoundation | runc | * |
| microfocus | service_management_automation | 2018.02 |
| redhat | container_development_kit | 3.7 |
| d2iq | kubernetes_engine | * |
| redhat | openshift | 3.5 |
| netapp | solidfire | - |
| microfocus | service_management_automation | 2018.11 |
| canonical | ubuntu_linux | 18.04 |
| opensuse | backports_sle | 15.0 |
| canonical | ubuntu_linux | 19.04 |
| redhat | enterprise_linux_server | 7.0 |
| fedoraproject | fedora | 29 |
| fedoraproject | fedora | 30 |
| apache | mesos | * |
| kubernetes_engine | - | |
| microfocus | service_management_automation | 2018.08 |
| docker | docker | * |
| redhat | openshift | 3.6 |
| microfocus | service_management_automation | 2018.05 |