Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0498.3 VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. 25 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware Integrated OpenStack with Kubernetes VMware vSphere Integrated Containers VMware PKS VMware vCloud Director Container Service Extension Publisher: VMware Operating System: Virtualisation Impact/Access: Root Compromise -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-5736 Reference: ESB-2019.0488 ESB-2019.0466 ESB-2019.0458 ESB-2019.0428 ESB-2019.0427 Original Bulletin: https://www.vmware.com/security/advisories/VMSA-2019-0001.html Revision History: February 25 2019: Updated security advisory in conjunction with the release of VMware PKS 1.3.3 and 1.2.10 on 2019-02-22. Note: VMware PKS 1.3.2 and 1.2.9 were incorrectly listed as resolving CVE-2019-5736 in the original version of this advisory. February 20 2019: Added VMSA-2019-0001.1 and VMSA-2019-0001.2 February 18 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- VMware Security Advisories VMSA-2019-0001.3 VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. VMware Security Advisory Advisory ID: VMSA-2019-0001.3 Severity: Important Synopsis: VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. Issue date: 2019-02-15 Updated on: 2019-02-22 CVE numbers: CVE-2019-5736 1. Summary VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. 2. Relevant Products - -VMware Integrated OpenStack with Kubernetes (VIO-K) - -VMware PKS (PKS) - -VMware vCloud Director Container Service Extension (CSE) - -vSphere Integrated Containers (VIC) 3. Problem Description VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host's runc binary and execute arbitrary code. Exploitation of this vulnerability requires the attacker to have existing permission to deploy containers or run docker exec. Alternatively, an attacker could trick a user with these permissions into deploying a malicious container or running docker exec for them. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5736 to this issue. Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. +-----------+-----------+-------+---------+------------------+----------------+ | VMware | Product |Running|Severity | Replace_with/ | Mitigation/ | | Product | Version | On | | Apply_Patch | Workaround | +-----------+-----------+-------+---------+------------------+----------------+ |VIO-K |5.x |Any |Important|Patch Pending |None | +-----------+-----------+-------+---------+------------------+----------------+ |PKS |1.3.x |Any |Important|1.3.3 |None | +-----------+-----------+-------+---------+------------------+----------------+ |PKS |1.2.x |Any |Important|1.2.10 |None | +-----------+-----------+-------+---------+------------------+----------------+ |CSE |1.x |Any |Important|1.2.7 |None | +-----------+-----------+-------+---------+------------------+----------------+ |VIC |1.x |Any |Important|1.5.1 |None | +-----------+-----------+-------+---------+------------------+----------------+ 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware PKS 1.3.3 Downloads: https://network.pivotal.io/products/pivotal-container-service/#/releases/309133 Documentation: https://docs.vmware.com/en/VMware-Pivotal-Container-Service/1.3/rn/ VMware-PKS-13-Release-Notes.html VMware PKS 1.2.10 Downloads: https://network.pivotal.io/products/pivotal-container-service/#/releases/309126 Documentation: https://docs.vmware.com/en/VMware-Pivotal-Container-Service/1.2/rn/ VMware-PKS-12-Release-Notes.html VMware vCloud Director Container Service Extension 1.2.7 Downloads: https://pypi.org/project/container-service-extension/1.2.7/ Documentation: https://vmware.github.io/container-service-extension/RELEASE_NOTES.html vSphere Inegrated Containers 1.5.1 Downloads: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/ vmware_vsphere_integrated_containers/1_5 Documentation: https://docs.vmware.com/en/VMware-vSphere-Integrated-Containers/1.5.1/rn/ VMware-vSphere-Integrated-Containers-151-Release-Notes.html 5. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736 https://pivotal.io/security/cve-2019-5736 6. Change log 2019-02-15: VMSA-2019-0001 Initial security advisory following the release of VMware PKS 1.3.2 and 1.2.9 on 2019-02-13. 2019-02-15: VMSA-2019-0001.1 Updated security advisory in conjunction with the release of VMware vCloud Director Container Service Extension 1.2.7 on 2019-02-15. 2019-02-19: VMSA-2019-0001.2 Updated security advisory in conjunction with the release of vSphere Integrated Containers 1.5.1 on 2019-02-19. 2019-02-22: VMSA-2019-0001.3 Updated security advisory in conjunction with the release of VMware PKS 1.3.3 and 1.2.10 on 2019-02-22. Note: VMware PKS 1.3.2 and 1.2.9 were incorrectly listed as resolving CVE-2019-5736 in the original version of this advisory. 7. Contact E-mail list for product security notifications and announcements: https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXHOco2aOgq3Tt24GAQhmnxAAlee87KqOB8PzXkO2v8pmzePV0ISWn56W FaHGdMjAqgohrA+4egwvZsnlpoGklOEo7B0LAtmfKkDS0/xH5T+GmtkD9UrA9pl/ Lq3fyYcIJllNg6oZN9PZVQFsMKkJy/kUKrjIayh6IYOCU4Q3JcplD1grCgfeWNsA TfGrILOA0rI3n9XQfFvUS0lJ3/njPoKT8zsoPe9BPlM6SvKmFXHGXLCurqwCddQZ dBD1JLOotP/8iST/j8dIVoKgTZ4l/6f/EcQeneeEsJ87pLBxJ5CVXrNP1pHzyXJu h8UZvTF6Vt2PZZuW75QhlHmEkVAZn+ey9DUQthxS4Eu6ULWkDNExnM9jIMZpSdh9 jtsCmC4326EEPGG07evP0jOe45TNmy87O3stx4DrIiEaocVqyQe1BXaf/8B3iRzE fBk76DrLgQIHqmrhVwnys5hTk/BHxxK2Vzsgyqfz+/qekTWfKONvmbQYNwyiVZ4+ NhkTlEM9X4uRmT8bxCN6sCk9wAClL20yVdbIoF3Y2u5O/0jQCSmc+8dXAE1namOB xh2bLDUK987J7dGm42LLwpdJeBg0WeZH+aYRydGbiSD9gDGHaF8ozot1JRMn0rnQ rhEqIJI7AAW61mBkWEqEg8cPcn6N3npYzMfXRCiycKpvK8TjeQ9G4Tw42BDxjhXf vT0UmGhYTyI= =jqH9 -----END PGP SIGNATURE-----