VMware has provided patches to the latest bug impacting to the runc container runtime which can affect to the VMware container based applications. Basically, this vulnerability allows attackers to overwrite the host runc binary and obtain the host root access to execute commands with root privileges or run Docker exec on the host. This fix mainly address to the version of Docker deployed by PKS to v18.06.2-ce.
This has been referenced under VMSA-2019-0001.1 (.2 and .3) Security Advisory and released relevant patches to mitigate the security threat which can harm to your containerized environment.
Which VMware Products Affected With This?
Patches have been released to the below affected VMware Products:
- VIO-K : VMware Integrated OpenStack with Kubernetes
- PKS : VMware PKS
- CSE : VMware vCloud Director Container Service Extension
- VIC : vSphere Integrated Containers
To mitigate the risk of the this vulnerability above containerized solutions should be patched with the updated versions, but VMware Integrated OpenStack with Kubernetes (VIO-K) and
vSphere Integrated Containers (VIC) is still pending for the patches at the time of writing this article.
Update as of 23/02/2019
Patches for VMware PKS (PKS)
Please note that the initial advisory release incorrectly mentioned that
VMware PKS 1.3.2 and VMware PKS 1.2.9 patches are resolving the CVE-2019-5736 , please find the below corrected patches for VMware PKS
- Upgrading from PKS 1.3.1 or 1.3.2 are supported (1.3.1 or 1.3.2 -> 1.3.3)
- Upgrading from PKS 1.2.x to PKS 1.2.8 or 1.2.9 are supported (1.2.8 or 1.2.9 -> 1.2.10
Patches for VMware vCloud Director Container Service Extension (CSE)
Container Service Extension version 1.2.7 should be applied to the VMware vCloud Director Container Service
Update as of 19/02/2019
Patches for vSphere Integrated Containers (VIC)
VMware has updated and released the patches for vSphere Integrated Containers, patch version 1.5.1 should be installed to mitigate the risk of VIC