CVE-2019-5736

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

Published : 2019-02-11 19:29 Updated : 2019-04-17 21:29

9.3
CVSS Score More info
Score 9.3 / 10
9.3
Vendor Product Version URI
Google Kubernetes Engine - cpe:/a:google:kubernetes_engine:-
Linuxcontainers Lxc - cpe:/a:linuxcontainers:lxc:-
Opencontainers Runc 1.0 cpe:/a:opencontainers:runc:1.0
Opencontainers Runc 1.0 cpe:/a:opencontainers:runc:1.0:rc1
Opencontainers Runc 1.0 cpe:/a:opencontainers:runc:1.0:rc2
Opencontainers Runc 1.0 cpe:/a:opencontainers:runc:1.0:rc3
Opencontainers Runc 1.0 cpe:/a:opencontainers:runc:1.0:rc4
Opencontainers Runc 1.0 cpe:/a:opencontainers:runc:1.0:rc5
Opencontainers Runc 1.0 cpe:/a:opencontainers:runc:1.0:rc6
Redhat Openshift 3.9 cpe:/a:redhat:openshift:3.9::~~enterprise~~~
Redhat Enterprise Linux 7.0 cpe:/o:redhat:enterprise_linux:7.0
Redhat Enterprise Linux Server 7.0 cpe:/o:redhat:enterprise_linux_server:7.0
Docker Docker 0.1.0 cpe:/a:docker:docker:0.1.0
Docker Docker 0.1.1 cpe:/a:docker:docker:0.1.1
Docker Docker 0.1.2 cpe:/a:docker:docker:0.1.2
Docker Docker 0.1.3 cpe:/a:docker:docker:0.1.3
Docker Docker 0.1.4 cpe:/a:docker:docker:0.1.4
Docker Docker 0.1.5 cpe:/a:docker:docker:0.1.5
Docker Docker 0.1.6 cpe:/a:docker:docker:0.1.6
Docker Docker 0.1.7 cpe:/a:docker:docker:0.1.7
Docker Docker 0.1.8 cpe:/a:docker:docker:0.1.8
Docker Docker 0.2.0 cpe:/a:docker:docker:0.2.0
Docker Docker 0.2.1 cpe:/a:docker:docker:0.2.1
Docker Docker 0.2.2 cpe:/a:docker:docker:0.2.2
Docker Docker 0.3.0 cpe:/a:docker:docker:0.3.0
Docker Docker 0.3.1 cpe:/a:docker:docker:0.3.1
Docker Docker 0.3.2 cpe:/a:docker:docker:0.3.2
Docker Docker 0.3.3 cpe:/a:docker:docker:0.3.3
Docker Docker 0.3.4 cpe:/a:docker:docker:0.3.4
Docker Docker 0.4.0 cpe:/a:docker:docker:0.4.0
Docker Docker 0.4.1 cpe:/a:docker:docker:0.4.1
Docker Docker 0.4.2 cpe:/a:docker:docker:0.4.2
Docker Docker 0.4.3 cpe:/a:docker:docker:0.4.3
Docker Docker 0.4.4 cpe:/a:docker:docker:0.4.4
Docker Docker 0.4.5 cpe:/a:docker:docker:0.4.5
Docker Docker 0.4.6 cpe:/a:docker:docker:0.4.6
Docker Docker 0.4.7 cpe:/a:docker:docker:0.4.7
Docker Docker 0.4.8 cpe:/a:docker:docker:0.4.8
Docker Docker 0.5.0 cpe:/a:docker:docker:0.5.0
Docker Docker 0.5.1 cpe:/a:docker:docker:0.5.1
Docker Docker 0.5.2 cpe:/a:docker:docker:0.5.2
Docker Docker 0.5.3 cpe:/a:docker:docker:0.5.3
Docker Docker 0.6.0 cpe:/a:docker:docker:0.6.0
Docker Docker 0.6.1 cpe:/a:docker:docker:0.6.1
Docker Docker 0.6.2 cpe:/a:docker:docker:0.6.2
Docker Docker 0.6.3 cpe:/a:docker:docker:0.6.3
Docker Docker 0.6.4 cpe:/a:docker:docker:0.6.4
Docker Docker 0.6.5 cpe:/a:docker:docker:0.6.5
Docker Docker 0.6.6 cpe:/a:docker:docker:0.6.6
Docker Docker 0.6.7 cpe:/a:docker:docker:0.6.7
Docker Docker 0.7.0 cpe:/a:docker:docker:0.7.0
Docker Docker 0.7.1 cpe:/a:docker:docker:0.7.1
Docker Docker 0.7.2 cpe:/a:docker:docker:0.7.2
Docker Docker 0.7.3 cpe:/a:docker:docker:0.7.3
Docker Docker 0.7.4 cpe:/a:docker:docker:0.7.4
Docker Docker 0.7.5 cpe:/a:docker:docker:0.7.5
Docker Docker 0.7.6 cpe:/a:docker:docker:0.7.6
Docker Docker 0.8.0 cpe:/a:docker:docker:0.8.0
Docker Docker 0.8.1 cpe:/a:docker:docker:0.8.1
Docker Docker 0.9.0 cpe:/a:docker:docker:0.9.0
Docker Docker 0.9.1 cpe:/a:docker:docker:0.9.1
Docker Docker 0.10. cpe:/a:docker:docker:0.10.
Docker Docker 0.11. cpe:/a:docker:docker:0.11.
Docker Docker 0.12. cpe:/a:docker:docker:0.12.
Docker Docker 1.0.0 cpe:/a:docker:docker:1.0.0
Docker Docker 1.0.1 cpe:/a:docker:docker:1.0.1
Docker Docker 1.1.0 cpe:/a:docker:docker:1.1.0
Docker Docker 1.1.1 cpe:/a:docker:docker:1.1.1
Docker Docker 1.1.2 cpe:/a:docker:docker:1.1.2
Docker Docker 1.2.0 cpe:/a:docker:docker:1.2.0
Docker Docker 1.3.0 cpe:/a:docker:docker:1.3.0
Docker Docker 1.3.1 cpe:/a:docker:docker:1.3.1
Docker Docker 1.3.2 cpe:/a:docker:docker:1.3.2
Docker Docker 1.3.3 cpe:/a:docker:docker:1.3.3
Docker Docker 1.4.0 cpe:/a:docker:docker:1.4.0
Docker Docker 1.4.1 cpe:/a:docker:docker:1.4.1
Docker Docker 1.5.0 cpe:/a:docker:docker:1.5.0
Docker Docker 1.6 cpe:/a:docker:docker:1.6
Docker Docker 1.6.0 cpe:/a:docker:docker:1.6.0
Docker Docker 1.6.1 cpe:/a:docker:docker:1.6.1
Docker Docker 1.6.2 cpe:/a:docker:docker:1.6.2
Docker Docker 1.7.0 cpe:/a:docker:docker:1.7.0
Docker Docker 1.7.1 cpe:/a:docker:docker:1.7.1
Docker Docker 1.8.0 cpe:/a:docker:docker:1.8.0
Docker Docker 1.8.1 cpe:/a:docker:docker:1.8.1
Docker Docker 1.8.2 cpe:/a:docker:docker:1.8.2
Docker Docker 1.8.3 cpe:/a:docker:docker:1.8.3
Docker Docker 1.9.0 cpe:/a:docker:docker:1.9.0
Docker Docker 1.9.1 cpe:/a:docker:docker:1.9.1
Docker Docker 1.10.0 cpe:/a:docker:docker:1.10.0
Docker Docker 1.10.1 cpe:/a:docker:docker:1.10.1
Docker Docker 1.10.2 cpe:/a:docker:docker:1.10.2
Docker Docker 1.10.3 cpe:/a:docker:docker:1.10.3
Docker Docker 1.11.0 cpe:/a:docker:docker:1.11.0
Docker Docker 1.11.1 cpe:/a:docker:docker:1.11.1
Docker Docker 1.11.2 cpe:/a:docker:docker:1.11.2
Docker Docker 1.12.0 cpe:/a:docker:docker:1.12.0
Docker Docker 1.12.1 cpe:/a:docker:docker:1.12.1
Docker Docker 1.12.2 cpe:/a:docker:docker:1.12.2
Docker Docker 1.12.3 cpe:/a:docker:docker:1.12.3
Docker Docker 1.12.4 cpe:/a:docker:docker:1.12.4
Docker Docker 1.12.5 cpe:/a:docker:docker:1.12.5
Docker Docker 1.12.6 cpe:/a:docker:docker:1.12.6
Docker Docker 1.13.0 cpe:/a:docker:docker:1.13.0
Docker Docker 1.13.1 cpe:/a:docker:docker:1.13.1
Redhat Openshift 3.4 cpe:/a:redhat:openshift:3.4
Redhat Openshift 3.5 cpe:/a:redhat:openshift:3.5
Redhat Openshift 3.6 cpe:/a:redhat:openshift:3.6
Redhat Openshift 3.7 cpe:/a:redhat:openshift:3.7
Hp Onesphere - cpe:/a:hp:onesphere:-
Apache Mesos 1.4.0 cpe:/a:apache:mesos:1.4.0
Apache Mesos 1.4.0 cpe:/a:apache:mesos:1.4.0:rc1
Apache Mesos 1.4.0 cpe:/a:apache:mesos:1.4.0:rc2
Apache Mesos 1.4.0 cpe:/a:apache:mesos:1.4.0:rc3
Apache Mesos 1.4.0 cpe:/a:apache:mesos:1.4.0:rc4
Apache Mesos 1.4.0 cpe:/a:apache:mesos:1.4.0:rc5
Apache Mesos 1.4.1 cpe:/a:apache:mesos:1.4.1
Apache Mesos 1.4.1 cpe:/a:apache:mesos:1.4.1:rc1
Apache Mesos 1.4.2 cpe:/a:apache:mesos:1.4.2
Apache Mesos 1.4.2 cpe:/a:apache:mesos:1.4.2:rc1
Apache Mesos 1.4.3 cpe:/a:apache:mesos:1.4.3:-
Apache Mesos 1.4.3 cpe:/a:apache:mesos:1.4.3:rc1
Apache Mesos 1.4.3 cpe:/a:apache:mesos:1.4.3:rc2
Apache Mesos 1.5.0 cpe:/a:apache:mesos:1.5.0
Apache Mesos 1.5.0 cpe:/a:apache:mesos:1.5.0:rc1
Apache Mesos 1.5.0 cpe:/a:apache:mesos:1.5.0:rc2
Apache Mesos 1.5.1 cpe:/a:apache:mesos:1.5.1
Apache Mesos 1.5.1 cpe:/a:apache:mesos:1.5.1:rc1
Apache Mesos 1.5.2 cpe:/a:apache:mesos:1.5.2:-
Apache Mesos 1.5.2 cpe:/a:apache:mesos:1.5.2:rc1
Apache Mesos 1.5.2 cpe:/a:apache:mesos:1.5.2:rc2
Apache Mesos 1.5.2 cpe:/a:apache:mesos:1.5.2:rc3
Apache Mesos 1.5.3 cpe:/a:apache:mesos:1.5.3:-
Apache Mesos 1.5.3 cpe:/a:apache:mesos:1.5.3:rc1
Apache Mesos 1.6.0 cpe:/a:apache:mesos:1.6.0
Apache Mesos 1.6.0 cpe:/a:apache:mesos:1.6.0:rc1
Apache Mesos 1.6.1 cpe:/a:apache:mesos:1.6.1
Apache Mesos 1.6.1 cpe:/a:apache:mesos:1.6.1:rc1
Apache Mesos 1.6.1 cpe:/a:apache:mesos:1.6.1:rc2
Apache Mesos 1.6.2 cpe:/a:apache:mesos:1.6.2:-
Apache Mesos 1.6.2 cpe:/a:apache:mesos:1.6.2:rc1
Apache Mesos 1.7.0 cpe:/a:apache:mesos:1.7.0
Apache Mesos 1.7.0 cpe:/a:apache:mesos:1.7.0:rc1
Apache Mesos 1.7.0 cpe:/a:apache:mesos:1.7.0:rc2
Apache Mesos 1.7.0 cpe:/a:apache:mesos:1.7.0:rc3
Netapp Element Software Management - cpe:/a:netapp:element_software_management:-
Opensuse Leap 15.0 cpe:/o:opensuse:leap:15.0
Opensuse Leap 42.3 cpe:/o:opensuse:leap:42.3
  1. Hp (1) Search CVE
    1. Onesphere (1) Search CVE
      1. -
  2. Opensuse (1) Search CVE
    1. Leap (2) Search CVE
      1. 15.0
      2. 42.3
  3. Docker (1) Search CVE
    1. Docker (93) Search CVE
      1. 0.1.0
      2. 0.1.1
      3. 0.1.2
      4. 0.1.3
      5. 0.1.4
      6. 0.1.5
      7. 0.1.6
      8. 0.1.7
      9. 0.1.8
      10. 0.2.0
      11. 0.2.1
      12. 0.2.2
      13. 0.3.0
      14. 0.3.1
      15. 0.3.2
      16. 0.3.3
      17. 0.3.4
      18. 0.4.0
      19. 0.4.1
      20. 0.4.2
      21. 0.4.3
      22. 0.4.4
      23. 0.4.5
      24. 0.4.6
      25. 0.4.7
      26. 0.4.8
      27. 0.5.0
      28. 0.5.1
      29. 0.5.2
      30. 0.5.3
      31. 0.6.0
      32. 0.6.1
      33. 0.6.2
      34. 0.6.3
      35. 0.6.4
      36. 0.6.5
      37. 0.6.6
      38. 0.6.7
      39. 0.7.0
      40. 0.7.1
      41. 0.7.2
      42. 0.7.3
      43. 0.7.4
      44. 0.7.5
      45. 0.7.6
      46. 0.8.0
      47. 0.8.1
      48. 0.9.0
      49. 0.9.1
      50. 0.10.
      51. 0.11.
      52. 0.12.
      53. 1.0.0
      54. 1.0.1
      55. 1.1.0
      56. 1.1.1
      57. 1.1.2
      58. 1.2.0
      59. 1.3.0
      60. 1.3.1
      61. 1.3.2
      62. 1.3.3
      63. 1.4.0
      64. 1.4.1
      65. 1.5.0
      66. 1.6
      67. 1.6.0
      68. 1.6.1
      69. 1.6.2
      70. 1.7.0
      71. 1.7.1
      72. 1.8.0
      73. 1.8.1
      74. 1.8.2
      75. 1.8.3
      76. 1.9.0
      77. 1.9.1
      78. 1.10.0
      79. 1.10.1
      80. 1.10.2
      81. 1.10.3
      82. 1.11.0
      83. 1.11.1
      84. 1.11.2
      85. 1.12.0
      86. 1.12.1
      87. 1.12.2
      88. 1.12.3
      89. 1.12.4
      90. 1.12.5
      91. 1.12.6
      92. 1.13.0
      93. 1.13.1
  4. Redhat (3) Search CVE
    1. Enterprise Linux (1) Search CVE
      1. 7.0
    2. Openshift (5) Search CVE
      1. 3.9
      2. 3.4
      3. 3.5
      4. 3.6
      5. 3.7
    3. Enterprise Linux Server (1) Search CVE
      1. 7.0
  5. Google (1) Search CVE
    1. Kubernetes Engine (1) Search CVE
      1. -
  6. Linuxcontainers (1) Search CVE
    1. Lxc (1) Search CVE
      1. -
  7. Apache (1) Search CVE
    1. Mesos (12) Search CVE
      1. 1.4.0
      2. 1.4.1
      3. 1.4.2
      4. 1.4.3
      5. 1.5.0
      6. 1.5.1
      7. 1.5.2
      8. 1.5.3
      9. 1.6.0
      10. 1.6.1
      11. 1.6.2
      12. 1.7.0
  8. Opencontainers (1) Search CVE
    1. Runc (1) Search CVE
      1. 1.0
  9. Netapp (1) Search CVE
    1. Element Software Management (1) Search CVE
      1. -

CWE

ID Name Description Links
CWE-216 Containment Errors (Container Errors) This tries to cover various problems in which improper data are included within a "container." CVE

References

Source Link
MISC https://access.redhat.com/security/cve/cve-2019-5736
MISC https://www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/
MISC https://github.com/rancher/runc-cve
MISC https://access.redhat.com/security/vulnerabilities/runcescape
MISC https://www.openwall.com/lists/oss-security/2019/02/11/2
MISC https://github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d
MISC https://aws.amazon.com/security/security-bulletins/AWS-2019-002/
MISC https://github.com/docker/docker-ce/releases/tag/v18.09.2
MISC https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc
MISC https://brauner.github.io/2019/02/12/privileged-containers.html
REDHAT https://access.redhat.com/errata/RHSA-2019:0303
REDHAT https://access.redhat.com/errata/RHSA-2019:0304
MISC https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/
EXPLOIT-DB https://www.exploit-db.com/exploits/46359/
BID http://www.securityfocus.com/bid/106976
EXPLOIT-DB https://www.exploit-db.com/exploits/46369/
MISC https://github.com/q3k/cve-2019-5736-poc
CISCO https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc
MISC https://github.com/Frichetten/CVE-2019-5736-PoC
MISC https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
CONFIRM https://www.synology.com/security/advisory/Synology_SA_19_06
REDHAT https://access.redhat.com/errata/RHSA-2019:0401
REDHAT https://access.redhat.com/errata/RHSA-2019:0408
CONFIRM https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03913en_us
CONFIRM https://security.netapp.com/advisory/ntap-20190307-0008/
MLIST https://lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706@%3Cuser.mesos.apache.org%3E
MLIST http://www.openwall.com/lists/oss-security/2019/03/23/1
MISC https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
MISC https://bugzilla.suse.com/show_bug.cgi?id=1121967
MLIST https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3E
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html
CONFIRM https://support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html

History of changes

Date Event
2019-04-17 21:29
2019-03-25 16:29
2019-03-23 18:29
2019-03-23 16:29
2019-03-08 11:29
2019-03-04 15:39
2019-03-02 11:29
2019-02-27 14:39
2019-02-27 11:29
2019-02-26 11:29
2019-02-23 11:29
2019-02-19 21:34
2019-02-18 16:29
2019-02-16 21:29
2019-02-15 11:29
2019-02-13 11:30
2019-02-13 00:29
2019-02-12 11:29
2019-02-12 04:29
2019-02-11 19:29

New CVE