Bug 1152308 - (CVE-2019-16884) VUL-0: CVE-2019-16884: runc: LSM bypass via malicious Docker image that mount over a /proc directory
(CVE-2019-16884)
VUL-0: CVE-2019-16884: runc: LSM bypass via malicious Docker image that mount...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Aleksa Sarai
Security Team bot
https://smash.suse.de/issue/243302/
CVSSv3:SUSE:CVE-2019-16884:5.3:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-27 12:45 UTC by Alexander Bergmann
Modified: 2021-09-01 10:47 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2019-09-27 12:45:08 UTC
CVE-2019-16884

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products,
allows AppArmor restriction bypass because libcontainer/rootfs_linux.go
incorrectly checks mount targets, and thus a malicious Docker image can mount
over a /proc directory.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-16884
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-16884.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884
https://github.com/opencontainers/runc/issues/2128
Comment 1 Aleksa Sarai 2019-09-28 11:27:52 UTC
I've already submitted Factory SRs for this. Note that we need to backport several patches for it:

  * https://github.com/opencontainers/runc/pull/2129
  * https://github.com/opencontainers/runc/pull/2130
  * https://github.com/opencontainers/selinux/pull/59
Comment 2 Swamp Workflow Management 2019-09-28 12:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1152308) was mentioned in
https://build.opensuse.org/request/show/733835 Factory / runc
https://build.opensuse.org/request/show/733836 Factory / docker-runc
Comment 3 Aleksa Sarai 2019-09-29 14:47:18 UTC
It should be noted this can also be used to bypass SELinux (and probably any LSM that depends on setting labels through /proc/self/attr/...).
Comment 5 Swamp Workflow Management 2019-10-09 08:20:52 UTC
This is an autogenerated message for OBS integration:
This bug (1152308) was mentioned in
https://build.opensuse.org/request/show/736405 Factory / docker-runc
Comment 6 Swamp Workflow Management 2019-10-25 19:11:50 UTC
SUSE-SU-2019:2787-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1152308
CVE References: CVE-2019-16884
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.32.1
SUSE CaaS Platform 3.0 (src):    docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-1.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-10-25 19:12:37 UTC
SUSE-SU-2019:2786-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1152308
CVE References: CVE-2019-16884
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-6.24.1
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.24.1
SUSE Linux Enterprise Module for Containers 15 (src):    docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-10-29 17:25:02 UTC
SUSE-SU-2019:2810-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1131314,1131553,1152308
CVE References: CVE-2019-16884
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    runc-1.0.0~rc8-1.6.1
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    runc-1.0.0~rc8-1.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-10-31 14:11:44 UTC
openSUSE-SU-2019:2418-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1152308
CVE References: CVE-2019-16884
Sources used:
openSUSE Leap 15.0 (src):    docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp150.5.28.1
Comment 10 Swamp Workflow Management 2019-11-05 20:24:26 UTC
openSUSE-SU-2019:2434-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1152308
CVE References: CVE-2019-16884
Sources used:
openSUSE Leap 15.1 (src):    docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.9.1
Comment 12 Swamp Workflow Management 2020-01-08 11:12:14 UTC
SUSE-SU-2020:0035-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1122469,1143349,1150397,1152308,1153367,1158590
CVE References: CVE-2019-16884
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    containerd-1.2.10-5.19.1, containerd-kubic-1.2.10-5.19.1, docker-19.03.5_ce-6.31.1, docker-kubic-19.03.5_ce-6.31.1, docker-runc-kubic-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    containerd-1.2.10-5.19.1, docker-19.03.5_ce-6.31.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    containerd-1.2.10-5.19.1, docker-19.03.5_ce-6.31.1, docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1
SUSE Linux Enterprise Module for Containers 15 (src):    containerd-1.2.10-5.19.1, docker-19.03.5_ce-6.31.1, docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-6.27.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-4.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2020-01-10 14:15:31 UTC
SUSE-SU-2020:0065-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1122469,1143349,1150397,1152308,1153367,1158590
CVE References: CVE-2019-16884
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.2.10-16.26.1, docker-19.03.5_ce-98.51.1, docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-1.35.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-28.1
SUSE CaaS Platform 3.0 (src):    containerd-kubic-1.2.10-16.26.1, docker-kubic-19.03.5_ce-98.51.1, docker-runc-kubic-1.0.0rc8+gitr3917_3e425f80a8c9-1.35.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2877_3eb39382bfa6-28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2020-01-13 23:12:04 UTC
openSUSE-SU-2020:0045-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1122469,1143349,1150397,1152308,1153367,1158590
CVE References: CVE-2019-16884
Sources used:
openSUSE Leap 15.1 (src):    containerd-1.2.10-lp151.2.9.1, docker-19.03.5_ce-lp151.2.15.1, docker-runc-1.0.0rc8+gitr3917_3e425f80a8c9-lp151.3.12.1, golang-github-docker-libnetwork-0.7.0.1+gitr2877_3eb39382bfa6-lp151.2.9.1
Comment 15 Marcus Meissner 2020-12-09 09:32:49 UTC
done
Comment 18 Swamp Workflow Management 2021-04-30 16:19:52 UTC
SUSE-SU-2021:1458-1: An update that solves 9 vulnerabilities and has 23 fixes is now available.

Category: security (important)
Bug References: 1028638,1034053,1048046,1051429,1053532,1095817,1118897,1118898,1118899,1121967,1131314,1131553,1149954,1152308,1160452,1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183397,1183855,1184768,1184962
CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-16884,CVE-2019-19921,CVE-2019-5736,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.4.4-16.38.1, docker-20.10.6_ce-98.66.1, runc-1.0.0~rc93-16.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.