Tips for Patching CVE-2019-5736
Learn more about the recent vulnerability impacting cloud environments.
Join the DZone community and get the full member experience.Join For Free
CVE-2019-5736 is a recently disclosed serious vulnerability affecting RunC (the default container runtime for Docker), ContainerD, Podman, and CRI-O. It allows an attacker-controlled rogue or compromised containers running with elevated privileges to escape the container's sandbox and take over the host machine with root-level privileges. When a host machine can be taken over by an attacker, standard techniques can be used to escalate the compromise to other machines in the cloud or on-premise data center, for example, to gain access to sensitive information and exfiltrate it.
The vulnerable Docker runtime container is a fundamental building block in cloud environments and data centers using Docker and Kubernetes. Therefore, the vulnerability also affects related services, products, and open-source projects, like managed Kubernetes services by cloud providers and Linux distributions that include Docker support. The vulnerability in the container runtime was fixed, and security teams should upgrade their environment according to the announcements made by the vendors and developers. For example, see recent announcements made by Google, AWS, and Red Hat.
However, as any infrastructure upgrade takes time for massive adoption, this security vulnerability may still be successfully abused for quite some time. Security teams should keep a lookout for behavioral changes in their cloud environments that may show that a compromise initiated, for example, using CVE-2019-5736, is in progress. Security tools should help administrators observe, identify, and notify significant changes in access patterns to databases in the data center or unexpected connections to external endpoints that may be an attacker's command and control. Adopting a firewall can help security teams find, investigate, and mediate compromised workloads and machines in the cloud environment.
Taking a high-level view, it would be interesting to see if this vulnerability forebodes that this year will show an increased focus on cyber attacks on cloud environments in general and the Kubernetes/Docker ecosystem, in particular.
Opinions expressed by DZone contributors are their own.