CVE-2019-16884

Description

runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

How to fix CVE-2019-16884

To remediate CVE-2019-16884, upgrade the affected package to a fixed version below.

• —upgrade to 1.3.0-2 or later
• —upgrade to 1.0.0~rc1+git20170621.5.4a2974b-1+deb10u1 or later
• —upgrade to 1.0.0~rc9+dfsg1-1 or later
• —upgrade to 1.0.0~rc6+dfsg1-3+deb10u2 or later
• —upgrade to 1.0.0-rc8.0.20190930145003-cad42f6e0932 or later
• —upgrade to 1.0.0-rc8.0.20190930145003-cad42f6e0932 or later
• —upgrade to 1.3.1-0.20190929122143-5215b1806f52 or later
• —upgrade to 1.3.1-0.20190929122143-5215b1806f52 or later

Is CVE-2019-16884 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0, < 1.3.0-2
• from 0, < 1.0.0~rc1+git20170621.5.4a2974b-1+deb10u1
• from 0, < 1.0.0~rc9+dfsg1-1
• from 0, < 1.0.0~rc6+dfsg1-3+deb10u2
• from 0, < 1.0.0-rc8.0.20190930145003-cad42f6e0932
• from 0, < 1.0.0-rc8.0.20190930145003-cad42f6e0932
• from 0, < 1.3.1-0.20190929122143-5215b1806f52
• from 0, < 1.3.1-0.20190929122143-5215b1806f52

CVSS scores

References (23)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-16884
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-16884
• PATCHgithub.com/opencontainers/runc
• WEBlists.opensuse.org/opensuse-security-announce/2019-10/msg00073.html