Following on from this: -
CVE-2019-5736
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
IBM issued this: -
Security Bulletin: IBM Cloud Kubernetes Service is affected by a privilege escalation vulnerability in runc
...
Updates for IBM Cloud Kubernetes Service cluster worker nodes at versions 1.10 and later will be available shortly that fix this vulnerability. Customers must update their worker nodes to address the vulnerability. See Updating worker nodes for details on updating worker nodes. To verify your cluster worker nodes have been updated, use the following IBM Cloud CLI command to confirm the currently running version:
...
I've got an IKS cluster running: -
https://cloud.ibm.com/containers-kubernetes/overview
so wanted to ensure that my worker node was suitably patched.
So, having logged into IBM Cloud: -
ibmcloud login ....
I checked my cluster: -
ibmcloud ks workers --cluster dmhIKSCluster
OK
ID Public IP Private IP Machine Type State Status Zone Version
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1 192.168.153.123 10.94.221.198 u2c.2x4.encrypted normal Ready dal10 1.11.6_1541*
* To update to 1.11.7_1544 version, run 'ibmcloud ks worker-update'. Review and make any required version changes before you update: https://console.bluemix.net/docs/containers/cs_cluster_update.html#worker_node
CVE-2019-5736
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
IBM issued this: -
Security Bulletin: IBM Cloud Kubernetes Service is affected by a privilege escalation vulnerability in runc
...
IBM Cloud Kubernetes Service is affected by a security vulnerability in runc which could allow an attacker that is authorized to run a process as root inside a container to execute arbitrary commands with root privileges on the container’s host system....
Updates for IBM Cloud Kubernetes Service cluster worker nodes at versions 1.10 and later will be available shortly that fix this vulnerability. Customers must update their worker nodes to address the vulnerability. See Updating worker nodes for details on updating worker nodes. To verify your cluster worker nodes have been updated, use the following IBM Cloud CLI command to confirm the currently running version:
...
I've got an IKS cluster running: -
https://cloud.ibm.com/containers-kubernetes/overview
so wanted to ensure that my worker node was suitably patched.
So, having logged into IBM Cloud: -
ibmcloud login ....
I checked my cluster: -
ibmcloud ks workers --cluster dmhIKSCluster
OK
ID Public IP Private IP Machine Type State Status Zone Version
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1 192.168.153.123 10.94.221.198 u2c.2x4.encrypted normal Ready dal10 1.11.6_1541*
* To update to 1.11.7_1544 version, run 'ibmcloud ks worker-update'. Review and make any required version changes before you update: https://console.bluemix.net/docs/containers/cs_cluster_update.html#worker_node
and then updated the worker: -
ibmcloud ks worker-update --cluster dmhIKSCluster --workers kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1
Updating the worker node version can cause downtime for your apps and services. During the update, all pods might be rescheduled onto other worker nodes and data is deleted if not stored outside the pod. To avoid downtime, ensure that you have enough worker nodes to handle your workload while the selected worker nodes are updating.
You might need to change your YAML files for deployments before updating. Review the docs for details: https://console.bluemix.net/docs/containers/cs_cluster_update.html#worker_node
Are you sure you want to update your worker node [kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1] to 1.11.7_1544? [y/N]> y
Updating worker kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1...
OK
ibmcloud ks workers --cluster dmhIKSCluster
OK
ID Public IP Private IP Machine Type State Status Zone Version
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1 192.168.153.123 10.94.221.198 u2c.2x4.encrypted normal Ready dal10 1.11.6_1541 --> 1.11.7_1544 (pending)
ibmcloud ks workers --cluster dmhIKSCluster
OK
ID Public IP Private IP Machine Type State Status Zone Version
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1 192.168.153.123 10.94.221.198 u2c.2x4.encrypted normal Ready dal10 1.11.6_1541 --> 1.11.7_1544 (pending)
ibmcloud ks workers --cluster dmhIKSCluster
OK
ID Public IP Private IP Machine Type State Status Zone Version
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1 192.168.153.123 10.94.221.198 u2c.2x4.encrypted reloading Waiting for IBM Cloud infrastructure: Setup provision configuration dal10 1.11.6_1541 --> 1.11.7_1544 (pending)
ibmcloud ks workers --cluster dmhIKSCluster
OK
ID Public IP Private IP Machine Type State Status Zone Version
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1 192.168.153.123 10.94.221.198 u2c.2x4.encrypted normal Ready dal10 1.11.7_1544
So, after a small amount of time, I'm all updated.
Shortly afterwards, I received an email from IBM Cloud: -
...
The operating system reload is complete for computing instance kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1.cloud.ibm [192.168.153.123].
...
and my cluster is clean n' green.
Now to finish updating Docker elsewhere ... including on the Mac