back to article Patch this run(DM)c Docker flaw or you be illin'... Tricky containers can root host boxes. It's like that – and that's the way it is

Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O. "While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a …

  1. ds6 Bronze badge

    Such a straightforward exploit. With the majority of the world running on supposedly secure virtualization and containerization, lord knows how many small overlooked attack vectors like this exist.

    Regardless of the content of this fine article, let us also agree that our poor vultures are running out of puns for titles.

    1. Lost In Clouds of Data
      Go

      Sure they're just warming up

      Pretty confident in our resident vultures ability to increase their caffeine and other stimulants to enable the headlines to maintain their current levels of bite. Fully expect our victorious vultures to viciously vex voice in verbal vengeance...

      1. Peter Gathercole Silver badge

        Re: Sure they're just warming up

        Got a long way to go before you get to something like this.

        V: Voilà! In view, a humble vaudevillian veteran, cast vicariously as both victim and villian by the vicissitudes of Fate. This visage, no mere veneer of vanity, is a vestige of the vox populi, now vacant, vanished. However, this valorous visitation of a by-gone vexation, stands vivified and has vowed to vanquish these venal and virulent vermin vanguarding vice and vouchsafing the violently vicious and voracious violation of volition. (he carves a "V" into a sign) The only verdict is vengence; a vendetta, held as a votive, not in vain, for the value and veracity of such shall one day vindicate the vigilant and the virtuous. (giggles) Verily, this vichyssoise of verbiage veers most verbose, so let me simply add that it is my very good honor to meet you and you may call me V.

        Evey: Are you like a crazy person?

        V: I'm quite sure they will say so.

        (Can't remember whether this is in the original comic strip, or whether it was invented just for the film, but it captures the idea of what was written by Alan Moore - quite the wordsmith)

    2. MacroRodent Silver badge

      Docker security

      Actually, a couple of years ago, when first learning about Docker, I encountered various documents online warning that one should not rely on Docker providing any tight security isolation, due to the way it was implemented. In any case security was not the purpose of Docker. It was just meant to provide a self-contained service, to get rid of dependency Hell.

      I sort of assumed security was fixed later (have not followed closely) as Docker became popular, but apparently not.

  2. zeigerpuppy

    kata-containers

    This is a reminder to think of ways to lock down docker. For instance it's possible to run docker containers with an higher security by using an alternative runtime to runc.

    Kata containers are a great example of this and for most containers, no extra configuration is needed, just install and update the available runtimes in the docker config.

    see https://github.com/kata-containers/runtime

    1. Lusty Silver badge

      Re: kata-containers

      “an higher”

      While it may be usual to speak like a cockney (an ‘igher) it’s not usual to write like one. If you’re going to use the h then use a.

    2. yoganmahew

      Re: kata-containers

      @zeigerpuppy

      You're guaranteeing that kata containers have no flaws? Backing that with money?

      1. Anonymous Coward
        Anonymous Coward

        Re: kata-containers

        I am fairly sure seigerpuppy said higher security, that doesn't in anyway translate to no flaws.

        You seem like you are chomping at the bit to let loose a load of bile about kata-containers...

  3. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    Is today's Reg readership old enough to enjoy this headline fully? I cetainly am.

    1. Korev Silver badge
      Megaphone

      It’s like that and that’s the way it is...

    2. mrobaer
      Thumb Up

      It's not funny.

      1. mrobaer

        Downvoted for a RUN DMC song title. Fitting.

    3. Locky Silver badge

      Sorry, I'm a bit slow today. I've just had 6 weeks off celebrating Christmas in the Hollies with Mary Mary

    4. Anonymous Coward
      Anonymous Coward

      I had to pause when I read the headline. What's it all about, I thought, can I get it, yo?

      Hard Times for users of runc? Ooh, whatcha gonna do?

      We can't say Docker is never dirty, but hopefully after this bug fix, runc is mostly clean.

  4. Walter Bishop Silver badge
    Mushroom

    Runc the default container runtime for Docker

    Why wasn't this picked up at the development phase. They do actually have someone tasked with hunting up potential security violations. If not they have no business releasing this to a production environment.

  5. Alistair Silver badge
    Windows

    urrr.

    Don't run privileged containers for anything that doesn't need the privilege.

    Just like all those dolts that run java applications as root.

    /shakes head, wanders down hall muttering under breath, slopping coffee all over the carpet.

  6. LordHighFixer
    Facepalm

    A big told ya so.

    Why would you want to hire separate security, network, and OS guys, with decades of combined experience? Developers fresh out of school with maybe one or two languages, and a couple of years of practice can do it all, right? No? Big surprise.

    1. Walter Bishop Silver badge
      Terminator

      Re: A big told ya so.

      > Why would you want to hire separate security, network, and OS guys, with decades of combined experience? Developers fresh out of school with maybe one or two languages, and a couple of years of practice can do it all, right? No? Big surprise.

      The OS people: We'll rely on the app developers to write safe code to trap errors.

      The APP people: We won't bother testing for boundary violations as the OS will trap errors.

  7. Anonymous Coward
    Anonymous Coward

    Joyent Triton

    Joyent's Triton is based on Open Solaris 10 Zones with a Linux Native Mode to run containers at bare metal speed. It has a Docker API built into the infrastructure. If this CVE were executed the attackers would find themselves still jailed inside the zone with nothing to do. Impossible to get to the global zone from a container zone. Unless you were remarkably stupid and put the private admin network on the Internet.

    FYI, Samsung now owns Joyent. But it's all still open source for private clouds.

  8. Clunking Fist Bronze badge
    Pint

    I didn't undertsand a word of these article...

    ...I'm only here for the headlines.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019