Alibaba Cloud Repairs RunC Vulnerability Announcement

On February 12, the Spring Festival just passed. The circle of friends saw the news of "runC explodes serious vulnerabilities: Kubernetes, Docker, etc.".

runC is the underlying container runtime for container-dependent applications like Docker, Kubernetes, etc. The critical security flaw that has emerged this time could allow an attacker to execute any command on a host as root.

Container security has always been a shortcoming of container technology. The biggest security hazard about containers is that attackers can use malicious programs to infect containers, and in more serious cases, they can attack the host system.

On February 11, 2019, researchers via the oss-security mailing list (
https://www.openwall.com/lists/oss-security/2019/02/11/2) disclosed the details of the runc container escape vulnerability. According to OpenWall's regulations, EXP will be disclosed on February 18, 2019.

Also on February 12, Alibaba Cloud Documentation Center has released the "Announcement on Fixing the Runc Vulnerability CVE-2019-5736".

Alibaba Cloud Container Service has fixed the runc vulnerability CVE-2019-5736. This article describes the scope of the vulnerability and how to resolve it.

Background: Docker, containerd or other runc-based containers have security vulnerabilities at runtime. An attacker can obtain the file handle of the host runc during execution through a specific container image or exec operation and modify the runc binary file, thereby obtaining the The root execution permission of the host.


Some students in Yunqi Community have asked:

Ali's k8s container service has been repaired? No manual processing required?

The group owner replied: The new cluster is not affected. The old cluster needs to manually upgrade the affected version of docker or runc. You can operate according to the specific repair steps in the document.