Alibaba Cloud has fixed the runC vulnerability CVE-2019-5736 in Container Service for Kubernetes (ACK). This topic describes the impacts and how to fix the vulnerability in earlier versions.

Background information

A vulnerability is found in the runC runtime that is used for Docker, containerd, or other runC-based containers. An attacker can overwrite the host runC binary and consequently obtain host root access by abusing the ability to execute a command as root within a specific container. Such a container can be attached with docker exec and therefore the attacker has the write permissions on the container.

For more information, see CVE-2019-5736.

Impacts

  • ACK:

    Docker Swarm clusters and Kubernetes clusters that use Docker versions earlier than 18.09.2 are affected.

  • User-defined Docker/Kubernetes runtimes:

    Runtimes that use Docker versions earlier than 18.09.2 or runC versions earlier than 1.0-rc6 are affected.

Fixes

Alibaba Cloud has fixed this vulnerability in Docker versions used by ACK clusters 1.11 or 1.12. For other clusters, you can use the following methods to fix the vulnerability:

  • Upgrade Docker. Upgrade the version of Docker to 18.09.2 or later. This may cause container disconnection and business disruption.
  • Upgrade runC only (for Docker 17.06). To avoid business disruption caused by Docker engine upgrades, take the following steps to upgrade the runC binary on each cluster node:
    1. Run the following command to locate docker-runc. In most cases, docker-runc is located in the /usr/bin/docker-runc path.
      which docker-runc
    2. Run the following command to back up the current runC:
      mv /usr/bin/docker-runc /usr/bin/docker-runc.orig.$(date -Iseconds)
    3. Run the following command to download the fixed runC:
      curl -o /usr/bin/docker-runc -sSL https://acs-public-mirror.oss-cn-hangzhou.aliyuncs.com/runc/docker-runc-17.06-amd64
    4. Run the following command to make docker-runc executable:
      chmod +x /usr/bin/docker-runc
    5. Run the following command to test whether runC works as expected:
      docker-runc -v
      # runc version 1.0.0-rc3
      # commit: fc48a25bde6fb041aae0977111ad8141ff396438
      # spec: 1.0.0-rc5
      docker run -it --rm ubuntu echo OK
    6. Optional:For GPU nodes in an ACK cluster, you must take the following steps to install nvidia-runtime:
      1. Run the following command to locate nvidia-container-runtime. In most cases, nvidia-container-runtime is located in the /usr/bin/nvidia-container-runtime path.
        which nvidia-container-runtime
      2. Run the following command to back up the current nvidia-container-runtime:
        mv /usr/bin/nvidia-container-runtime /usr/bin/nvidia-container-runtime.orig.$(date -Iseconds)
      3. Run the following command to download the fixed nvidia-container-runtime:
        curl -o /usr/bin/nvidia-container-runtime -sSL https://acs-public-mirror.oss-cn-hangzhou.aliyuncs.com/runc/nvidia-container-runtime-17.06-amd64
      4. Run the following command to make nvidia-container-runtime executable:
        chmod +x /usr/bin/nvidia-container-runtime
      5. Run the following command to test whether nvidia-container-runtime works as expected:
        nvidia-container-runtime -v
        #  runc version 1.0.0-rc3
        #  commit: fc48a25bde6fb041aae0977111ad8141ff396438-dirty
        #  spec: 1.0.0-rc5
        
        docker run -it --rm -e NVIDIA_VISIBLE_DEVICES=all ubuntu nvidia-smi -L
        #  GPU 0: Tesla P100-PCIE-16GB (UUID: GPU-122e199c-9aa6-5063-0fd2-da009017e6dc)
        Note In this topic, the test is run on nodes that use GPU P100. The test method varies based on the GPU model.