TPS-2019-001 Certain Docker or Kubernetes configurations in KVM or bhyve(CVE-2019-5736)
Overview
CVE-2019-5736 has been detected and remediation has been strategized, as detailed here.
This vulnerability relies on an unsafe container configuration known as privileged containers.
SmartOS is immune to this attack. While Triton and SmartOS implement the same interface as Docker, the runC program that is used on Linux is not used in SmartOS. SmartOS is immune to similar vulnerabilities that may exist in any other program because the SmartOS handles per-zone identity in a stricter fashion than Linux privileged containers. That is, SmartOS zones never consider root in a zone to be equivalent to root in the global zone.
However, if you are using Docker or Kubernetes within KVM or bhyve virtual machines, please see the “Actions You Need to Take” section below.
Actions Taken by Joyent
Because SmartOS is immune to this class of attack, no action is required on Joyent’s part.
Actions You Need to Take
Triton Enterprise Software Users
If you are using Docker or Kubernetes within KVM or bhyve virtual machines, this vulnerability is applicable. To remediate this vulnerability, follow the guest operating system vendor’s recommendations.
SmartOS users are not affected by this vulnerability, as noted in the “Overview” above.
Triton Public Cloud Users
If you are using Docker or Kubernetes within KVM or bhyve virtual machines, this vulnerability is applicable. To remediate this vulnerability, follow the guest operating system vendor’s recommendations.
SmartOS users are not affected by this vulnerability, as noted in the “Overview” above.
Open Source Triton Users
Please direct any further questions to The SmartOS Community Mailing Lists and IRC.
Support
If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.
As noted above, if you are an Open Source Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.