mesosphere

Our Rapid Response to the Recent Container Vulnerability

Feb 13, 2019

Andrew Hatfield

D2iQ

5 min read

 
Another serious security vulnerability has recently been discovered in the fast moving container ecosystem. We at Mesosphere are proud to provide our customers with capabilities to manage and protect themselves in events such as these.
 
This time, it is specific to the underlying container runtime technology exposing almost ALL container platforms in use today.
 
Listed as a critical vulnerability (CVE-2019-5736), it allows a malicious user to change the process that is run by a container at time of launch.
 
This zero-day vulnerability is a serious issue that could expose significant risk to customers running affected versions of runC and containerd, the Docker container engine.
 
The details of the vulnerability are as follows:
 
"Through this security vulnerability, a malicious user could set the container image entrypoint to be `/proc/self/exe` and create a Docker image that executes the `/proc/self/exe` binary on the host computer. 
 
When this binary is executed, it could dynamically link libraries (for example using, glibc) from the container image. Since those dynamic libraries are in the container image, a malicious user could modify those libraries to cause some malicious code to be executed during linking (for example, by using `__attribute__((constructor))` from gcc). The malicious code could then open the host binary as read-only to execute a different binary in the container image. This second binary could reopen the read-only file descriptor as read-write, enabling the second binary to exploit the host binary.
 
For most container runtimes, the host binary that can be exploited is typically the init helper binary that is executed on every container launch. As a result, a malicious user could gain root-level access to execute malicious code on the host.
 
You should note that an attempt to attack a host through this security vulnerability will not succeed if the container is running under a non-root host user, which is the default for containers launched by UCR in a strict mode cluster."
 
Mesosphere takes security seriously. Not only did we have patches ready for customers, but those running in Strict Mode using our Universal Container Runtime (UCR) were not even at risk of this vulnerability.
 
Additionally, to ensure our customers potentially exposed by this vulnerability were not at risk once the announcement was made public, we shipped the fix early.
 
Effectively, Mesosphere customers were either not vulnerable to this security bug or, if they were, we fixed it before a general announcement was made public.
 
One of the key benefits customers enjoy from using Mesosphere solutions is full lifecycle service automation: automated install, update, upgrade, and retire. We make complex workflows extremely simple through our service automation engine. This means our customers can easily upgrade Kubernetes, or Cassandra, or Kafka, or Spark while the service is running. We take care of all the operations lifecycle tasks, ensuring services are placed in maintenance where appropriate, draining applications off affected nodes, and then working out all the dependencies for you.
 
As more organizations run multiple technologies across data and data science, with both traditional and cloud native applications, it's becoming increasingly challenging to keep track of this yourself. Mesosphere does the heavy lifting to reduce complexity for your operations and DevOps teams so they can focus on business value activities rather than patching software.

Ready to get started?