Bug 1121967 (CVE-2019-5736) - VUL-0: CVE-2019-5736: docker-runc: container breakout vulnerability
Summary: VUL-0: CVE-2019-5736: docker-runc: container breakout vulnerability
Status: RESOLVED FIXED
Alias: CVE-2019-5736
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other All
: P2 - High : Major
Target Milestone: ---
Assignee: Aleksa Sarai
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/222791/
Whiteboard: CVSSv3:SUSE:CVE-2019-5736:7.5:(AV:L/A...
Keywords:
Depends on:
Blocks: 1122185
  Show dependency treegraph
 
Reported: 2019-01-15 09:47 UTC by Karol Babioch
Modified: 2024-07-22 13:50 UTC (History)
11 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch (8.76 KB, patch)
2019-02-07 02:44 UTC, Aleksa Sarai
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2019-01-15 09:47:26 UTC
I'm opening this bug on request of Aleksa Sarai.

---

CVE-2019-5736

Hiya,

I've gotten CVE-2019-5736 assigned. It's a runc container breakout
vulnerability, and I've been working on a patch to fix it. Can you set
up a BSC so I can include the patch files?

It's still under embargo, and we're waiting on Docker to tell us when
would be convenient for them.

Thanks.

---

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5736
Comment 1 Aleksa Sarai 2019-01-15 21:58:13 UTC
The core vulnerability is effectively that a container can cause the container runtime binary to be executed within container (thus allowing malicious shared libraries to be loaded). This allows for the *host* container runtime binary to be replaced with a malicious version, thus giving root-level RCE access. The attack requires some interaction with the malicious container, but it's quite minimal (you can replace /bin/bash, so a trivial "docker exec" will trigger the bug).

This vulnerability is not effective under user namespaces (because the container root doesn't have permissions to overwrite the host binary). It is not blocked by the default AppArmor profile (it might be blocked under SELinux though).

I will attach a reproducer as well as the patches (which have been LGTM'd by upstream). We are still working on a CRD (it's a bit complicated because cloud vendors have to update too).

I have also discovered that LXC is vulnerable to the same bug (though the exploit is a bit more complicated, due to some practical considerations with how lxc-attach works).
Comment 2 Aleksa Sarai 2019-01-15 21:59:24 UTC
Sorry, I forgot to mention that my quick CVSSv3 estimate is 7.0:

  AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H/E:F/RL:X/RC:C
Comment 6 Karol Babioch 2019-01-18 13:35:42 UTC
CRD: 2019-02-11

This may still change, depending on feedback from other vendors.
Comment 8 Aleksa Sarai 2019-01-29 04:29:39 UTC
Created attachment 795470 [details]
0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch

I have developed an updated form of the patch. It's functionally identical to the one sent out to everyone else, with just a few niceness fixes (this is the version I will push to runc upstream when the embargo lifts).
Comment 9 Marcus Meissner 2019-02-01 06:50:25 UTC
CRD: 2019-02-11 15:00CET
Comment 12 Aleksa Sarai 2019-02-07 02:44:22 UTC
Created attachment 796192 [details]
0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch

This contains an O_TMPFILE fallback for SLE12 which is necessary for builds to work.
Comment 18 Marcus Meissner 2019-02-11 13:07:59 UTC
is public via oss-security.

From: Aleksa Sarai <cyphar@cyphar.com>
Date: Tue, 12 Feb 2019 00:05:20 +1100
Subject: [security@suse.de] CVE-2019-5736: runc container breakout (all versions)

[[        Patch CRD: 2019-02-11 15:00 CET ]]
[[ Exploit Code CRD: 2019-02-18 15:00 CET ]]

Hello,

I am one of the maintainers of runc (the underlying container runtime
underneath Docker, cri-o, containerd, Kubernetes, and so on). We
recently had a vulnerability reported which we have verified and have a
patch for.

The researchers who found this vulnerability are:
  * Adam Iwaniuk
  * Borys Popławski

In addition, Aleksa Sarai (me) discovered that LXC was also vulnerable
to a more convoluted version of this flaw.

== OVERVIEW ==

The vulnerability allows a malicious container to (with minimal user
interaction) overwrite the host runc binary and thus gain root-level
code execution on the host. The level of user interaction is being able
to run any command (it doesn't matter if the command is not
attacker-controlled) as root within a container in either of these
contexts:

  * Creating a new container using an attacker-controlled image.
  * Attaching (docker exec) into an existing container which the
    attacker had previous write access to.

This vulnerability is *not* blocked by the default AppArmor policy, nor
by the default SELinux policy on Fedora[++] (because container processes
appear to be running as container_runtime_t). However, it *is* blocked
through correct use of user namespaces (where the host root is not
mapped into the container's user namespace).

Our CVSSv3 vector is (with a score of 7.2):

  AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H

The assigned CVE for this issue is CVE-2019-5736.

[++]: This is only the case for the "moby-engine" package on Fedora. The
          "docker" package as well as podman are protected against this
          exploit because they run container processes as container_t.

== PATCHES ==

I have attached the relevant patch which fixes this issue. This patch is
based on HEAD, but the code in libcontainer/nsenter/ changes so
infrequently that it should apply cleanly to any old version of the runc
codebase you are dealing with.

Please note that the patch I have pushed to runc master[1] is a modified
version of this patch -- even though it is functionally identical
(though we would recommend using the upstream one if you haven't patched
using the attached one already).

== NON-ESSENTIAL EXPLOIT CODE ==

Several vendors have asked for exploit code to ensure that the patches
actually solve the issue. Due to the severity of the issue (especially
for public cloud vendors), we decided to provide the attached exploit
code. This exploit code was written by me, and is more generic than the
original exploit code provided by the researchers and works against LXC
(it could likely be used on other vulnerable runtimes with no
significant modification). Details on how to use the exploit code are
provided in the README.

As per OpenWall rules, this exploit code will be published *publicly* 7
days after the CRD (which is 2019-02-18). *If you have a container
runtime, please verify that you are not vulnerable to this issue
beforehand.*

== IMPACT ON OTHER PROJECTS ==

It should be noted that upon further investigation I've discovered that
LXC has a similar vulnerability, and they have also pushed a similar
patch[2] which we co-developed. LXC is a bit harder to exploit, but the
same fundamental flaw exists.

After some discussion with the systemd-nspawn folks, it appears that
they aren't vulnerable (because their method of attaching to a container
uses a different method to LXC and runc).

I have been contacted by folks from Apache Mesos who said they were also
vulnerable (I believe just using the exploit code that will be
provided). It is quite likely that most container runtimes are
vulnerable to this flaw, unless they took very strange mitigations
before-hand.

== OTHER NEWS ==

We have set up an announcement list for future security vulnerabilities,
and you can see the process for joining here[3] (it's based on the
Kubernetes security-announce mailing list). Please join if you
distribute any container runtimes that depend on runc (or other OCI
projects).

[1]: https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
[2]: https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
[3]: https://github.com/opencontainers/org/blob/master/security.md

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>
Comment 19 Swamp Workflow Management 2019-02-11 15:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1121967) was mentioned in
https://build.opensuse.org/request/show/673383 Factory / docker-runc
Comment 20 Richard Brown 2019-02-12 10:55:38 UTC
Is there any eta when runc will be patched in Factory/Tumbleweed/Kubic/Leap and Packagehub, all of which appear to be affected?
Comment 21 Swamp Workflow Management 2019-02-12 15:10:23 UTC
This is an autogenerated message for OBS integration:
This bug (1121967) was mentioned in
https://build.opensuse.org/request/show/674127 Backports:SLE-15 / runc
https://build.opensuse.org/request/show/674128 15.0 / runc
https://build.opensuse.org/request/show/674132 15.1 / runc
Comment 24 Swamp Workflow Management 2019-02-12 20:08:41 UTC
SUSE-SU-2019:0337-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1121967
CVE References: CVE-2019-5736
Sources used:
SUSE CaaS Platform 3.0 (src):    runc-1.0.0~rc5-3.6.1
Comment 26 Swamp Workflow Management 2019-02-13 17:10:50 UTC
SUSE-SU-2019:0362-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1121967
CVE References: CVE-2019-5736
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1
SUSE Linux Enterprise Module for Containers 15 (src):    docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1
Comment 27 Swamp Workflow Management 2019-02-13 20:09:50 UTC
openSUSE-SU-2019:0170-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1095817,1118897,1118898,1118899,1121967
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736
Sources used:
openSUSE Backports SLE-15 (src):    runc-1.0.0~rc6-bp150.2.3.1
Comment 28 Swamp Workflow Management 2019-02-13 20:10:50 UTC
SUSE-SU-2019:0385-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1121967
CVE References: CVE-2019-5736
Sources used:
SUSE OpenStack Cloud 6-LTSS (src):    docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-1.9.1
SUSE Linux Enterprise Module for Containers 12 (src):    docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-1.9.1
OpenStack Cloud Magnum Orchestration 7 (src):    docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-1.9.1
Comment 30 Swamp Workflow Management 2019-02-18 20:26:45 UTC
openSUSE-SU-2019:0201-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1121967
CVE References: CVE-2019-5736
Sources used:
openSUSE Leap 42.3 (src):    docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-8.1, docker-runc-kubic-1.0.0rc5+gitr3562_69663f0bd4b6-8.1
Comment 31 Swamp Workflow Management 2019-02-19 14:14:51 UTC
openSUSE-SU-2019:0208-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1095817,1118897,1118898,1118899,1121967
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736
Sources used:
openSUSE Leap 15.0 (src):    runc-1.0.0~rc6-lp150.2.3.1
Comment 34 Swamp Workflow Management 2019-02-26 20:11:57 UTC
SUSE-SU-2019:0495-1: An update that solves four vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    containerd-1.2.2-5.9.1, docker-18.09.1_ce-6.14.1, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-6.12.1, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-4.9.1
SUSE Linux Enterprise Module for Containers 15 (src):    containerd-1.2.2-5.9.1, docker-18.09.1_ce-6.14.1, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-6.12.1, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-4.9.1
Comment 35 Swamp Workflow Management 2019-02-27 11:17:08 UTC
openSUSE-SU-2019:0252-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1121967
CVE References: CVE-2019-5736
Sources used:
openSUSE Leap 15.0 (src):    docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.7.1
Comment 36 Swamp Workflow Management 2019-03-06 20:11:46 UTC
openSUSE-SU-2019:0295-1: An update that solves four vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736
Sources used:
openSUSE Leap 15.0 (src):    containerd-1.2.2-lp150.4.10.1, docker-18.09.1_ce-lp150.5.13.1, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1, runc-1.0.0~rc6-lp150.2.7.1
Comment 37 Swamp Workflow Management 2019-03-08 17:10:42 UTC
SUSE-SU-2019:0573-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1001161,1048046,1051429,1112980,1114832,1118897,1118898,1118899,1121412,1121967,1124308
CVE References: CVE-2016-9962,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736
Sources used:
SUSE OpenStack Cloud 6-LTSS (src):    containerd-1.2.2-16.14.2, docker-18.09.1_ce-98.34.2, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-1.17.2, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-16.2
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.2.2-16.14.2, docker-18.09.1_ce-98.34.2, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-1.17.2, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-16.2
Comment 38 Swamp Workflow Management 2019-03-29 23:22:01 UTC
openSUSE-SU-2019:1079-1: An update that solves four vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1001161,1048046,1051429,1112980,1114832,1118897,1118898,1118899,1121412,1121967,1124308
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736
Sources used:
openSUSE Leap 42.3 (src):    containerd-1.2.2-22.1, containerd-kubic-1.2.2-22.1, docker-18.09.1_ce-54.1, docker-kubic-18.09.1_ce-54.1, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-11.1, docker-runc-kubic-1.0.0rc6+gitr3748_96ec2177ae84-11.1, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-11.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2711_2cfbf9b1f981-11.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 39 Swamp Workflow Management 2019-05-14 22:39:54 UTC
SUSE-SU-2019:1234-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, go-1.12-3.10.1, go1.11-1.11.9-1.12.1, go1.12-1.12.4-1.9.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1
SUSE Linux Enterprise Module for Containers 15 (src):    containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 40 Swamp Workflow Management 2019-06-03 13:13:23 UTC
openSUSE-SU-2019:1499-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486
Sources used:
openSUSE Leap 15.0 (src):    containerd-1.2.5-lp150.4.14.3, docker-18.09.6_ce-lp150.5.17.2, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp150.5.21.2, go-1.12-lp150.2.11.1, go1.11-1.11.9-lp150.9.3, go1.12-1.12.4-lp150.2.2, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp150.3.14.1
Comment 41 Swamp Workflow Management 2019-06-13 19:12:50 UTC
SUSE-SU-2019:1234-2: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, go-1.12-3.10.1, go1.11-1.11.9-1.12.1, go1.12-1.12.4-1.9.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 43 Swamp Workflow Management 2019-08-13 16:10:45 UTC
SUSE-SU-2019:2117-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409
CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    containerd-1.2.6-5.16.1, containerd-kubic-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-kubic-19.03.1_ce-6.26.2, docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1
SUSE Linux Enterprise Module for Containers 15 (src):    containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 44 Swamp Workflow Management 2019-08-13 16:13:29 UTC
SUSE-SU-2019:2119-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1100331,1121967,1142160,1142413,1143409
CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736
Sources used:
SUSE OpenStack Cloud 6-LTSS (src):    containerd-1.2.6-16.23.1, docker-19.03.1_ce-98.46.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.2.6-16.23.1, docker-19.03.1_ce-98.46.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1
SUSE CaaS Platform 3.0 (src):    containerd-kubic-1.2.6-16.23.1, docker-kubic-19.03.1_ce-98.46.1, docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 45 Swamp Workflow Management 2019-08-29 22:13:43 UTC
openSUSE-SU-2019:2021-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409
CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736
Sources used:
openSUSE Leap 15.1 (src):    containerd-1.2.6-lp151.2.6.1, docker-19.03.1_ce-lp151.2.12.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1
openSUSE Leap 15.0 (src):    containerd-1.2.6-lp150.4.17.1, docker-19.03.1_ce-lp150.5.27.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp150.5.25.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp150.3.18.1
Comment 46 Aleksa Sarai 2019-10-08 21:54:10 UTC
This has been fixed for a long time.
Comment 49 Swamp Workflow Management 2021-04-30 16:19:27 UTC
SUSE-SU-2021:1458-1: An update that solves 9 vulnerabilities and has 23 fixes is now available.

Category: security (important)
Bug References: 1028638,1034053,1048046,1051429,1053532,1095817,1118897,1118898,1118899,1121967,1131314,1131553,1149954,1152308,1160452,1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183397,1183855,1184768,1184962
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-16884,CVE-2019-19921,CVE-2019-5736,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.4.4-16.38.1, docker-20.10.6_ce-98.66.1, runc-1.0.0~rc93-16.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.