UPDATE VMware: Root Compromise -- Existing Account

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.0498.3
         VMware product updates resolve mishandled file descriptor
                 vulnerability in runc container runtime.
                             25 February 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMware Integrated OpenStack with Kubernetes
                   VMware vSphere Integrated Containers
                   VMware PKS
                   VMware vCloud Director Container Service Extension
Publisher:         VMware
Operating System:  Virtualisation
Impact/Access:     Root Compromise -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-5736  

Reference:         ESB-2019.0488
                   ESB-2019.0466
                   ESB-2019.0458
                   ESB-2019.0428
                   ESB-2019.0427

Original Bulletin: 
   https://www.vmware.com/security/advisories/VMSA-2019-0001.html

Revision History:  February 25 2019: Updated security advisory in conjunction 
                                     with the release of VMware PKS 1.3.3 and 
                                     1.2.10 on 2019-02-22. Note: VMware PKS 1.3.2 
                                     and 1.2.9 were incorrectly listed as resolving 
                                     CVE-2019-5736 in the original version of 
                                     this advisory.
                   February 20 2019: Added VMSA-2019-0001.1 and VMSA-2019-0001.2
                   February 18 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

VMware Security Advisories

VMSA-2019-0001.3

VMware product updates resolve mishandled file descriptor vulnerability in runc
container runtime.

VMware Security Advisory

Advisory ID: 	VMSA-2019-0001.3

Severity: 	Important

Synopsis: 	VMware product updates resolve mishandled file descriptor 
		vulnerability in runc container runtime.

Issue date: 	2019-02-15

Updated on: 	2019-02-22

CVE numbers: 	CVE-2019-5736

1. Summary

VMware product updates resolve mishandled file descriptor vulnerability in runc
container runtime.

2. Relevant Products

- -VMware Integrated OpenStack with Kubernetes (VIO-K)
- -VMware PKS (PKS)
- -VMware vCloud Director Container Service Extension (CSE)
- -vSphere Integrated Containers (VIC)
 
3. Problem Description

VMware product updates resolve mishandled file descriptor vulnerability in runc
container runtime. Successful exploitation of this issue may allow a malicious
container to overwrite the contents of a host's runc binary and execute
arbitrary code. Exploitation of this vulnerability requires the attacker to
have existing permission to deploy containers or run docker exec.
Alternatively, an attacker could trick a user with these permissions into
deploying a malicious container or running docker exec for them.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned
the identifier CVE-2019-5736 to this issue.

Column 5 of the following table lists the action required to remediate the
vulnerability in each release, if a solution is available.
 
+-----------+-----------+-------+---------+------------------+----------------+
|  VMware   |  Product  |Running|Severity |  Replace_with/   |  Mitigation/   |
|  Product  |  Version  |  On   |         |   Apply_Patch    |   Workaround   |
+-----------+-----------+-------+---------+------------------+----------------+
|VIO-K      |5.x        |Any    |Important|Patch Pending     |None            |
+-----------+-----------+-------+---------+------------------+----------------+
|PKS        |1.3.x      |Any    |Important|1.3.3             |None            |
+-----------+-----------+-------+---------+------------------+----------------+
|PKS        |1.2.x      |Any    |Important|1.2.10            |None            |
+-----------+-----------+-------+---------+------------------+----------------+
|CSE        |1.x        |Any    |Important|1.2.7             |None            |
+-----------+-----------+-------+---------+------------------+----------------+
|VIC        |1.x        |Any    |Important|1.5.1             |None            |
+-----------+-----------+-------+---------+------------------+----------------+

4. Solution

Please review the patch/release notes for your product and version and verify
the checksum of your downloaded file.

VMware PKS 1.3.3

Downloads:
https://network.pivotal.io/products/pivotal-container-service/#/releases/309133
Documentation:
https://docs.vmware.com/en/VMware-Pivotal-Container-Service/1.3/rn/
VMware-PKS-13-Release-Notes.html

VMware PKS 1.2.10

Downloads:

https://network.pivotal.io/products/pivotal-container-service/#/releases/309126

Documentation:
https://docs.vmware.com/en/VMware-Pivotal-Container-Service/1.2/rn/
VMware-PKS-12-Release-Notes.html

VMware vCloud Director Container Service Extension 1.2.7

Downloads:
https://pypi.org/project/container-service-extension/1.2.7/
Documentation:
https://vmware.github.io/container-service-extension/RELEASE_NOTES.html

vSphere Inegrated Containers 1.5.1

Downloads:
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere_integrated_containers/1_5
Documentation:
https://docs.vmware.com/en/VMware-vSphere-Integrated-Containers/1.5.1/rn/
VMware-vSphere-Integrated-Containers-151-Release-Notes.html

5. References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
https://pivotal.io/security/cve-2019-5736

6. Change log

2019-02-15: VMSA-2019-0001
Initial security advisory following the release of VMware PKS 1.3.2 and 1.2.9
on 2019-02-13.

2019-02-15: VMSA-2019-0001.1
Updated security advisory in conjunction with the release of VMware vCloud
Director Container Service Extension 1.2.7 on 2019-02-15.

2019-02-19: VMSA-2019-0001.2
Updated security advisory in conjunction with the release of vSphere Integrated
Containers 1.5.1 on 2019-02-19.

2019-02-22: VMSA-2019-0001.3
Updated security advisory in conjunction with the release of VMware PKS 1.3.3
and 1.2.10 on 2019-02-22. Note: VMware PKS 1.3.2 and 1.2.9 were incorrectly
listed as resolving CVE-2019-5736 in the original version of this advisory.

7. Contact

E-mail list for product security notifications and announcements:
https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHOco2aOgq3Tt24GAQhmnxAAlee87KqOB8PzXkO2v8pmzePV0ISWn56W
FaHGdMjAqgohrA+4egwvZsnlpoGklOEo7B0LAtmfKkDS0/xH5T+GmtkD9UrA9pl/
Lq3fyYcIJllNg6oZN9PZVQFsMKkJy/kUKrjIayh6IYOCU4Q3JcplD1grCgfeWNsA
TfGrILOA0rI3n9XQfFvUS0lJ3/njPoKT8zsoPe9BPlM6SvKmFXHGXLCurqwCddQZ
dBD1JLOotP/8iST/j8dIVoKgTZ4l/6f/EcQeneeEsJ87pLBxJ5CVXrNP1pHzyXJu
h8UZvTF6Vt2PZZuW75QhlHmEkVAZn+ey9DUQthxS4Eu6ULWkDNExnM9jIMZpSdh9
jtsCmC4326EEPGG07evP0jOe45TNmy87O3stx4DrIiEaocVqyQe1BXaf/8B3iRzE
fBk76DrLgQIHqmrhVwnys5hTk/BHxxK2Vzsgyqfz+/qekTWfKONvmbQYNwyiVZ4+
NhkTlEM9X4uRmT8bxCN6sCk9wAClL20yVdbIoF3Y2u5O/0jQCSmc+8dXAE1namOB
xh2bLDUK987J7dGm42LLwpdJeBg0WeZH+aYRydGbiSD9gDGHaF8ozot1JRMn0rnQ
rhEqIJI7AAW61mBkWEqEg8cPcn6N3npYzMfXRCiycKpvK8TjeQ9G4Tw42BDxjhXf
vT0UmGhYTyI=
=jqH9
-----END PGP SIGNATURE-----