TPS-2019-001 Certain Docker or Kubernetes configurations in KVM or bhyve(CVE-2019-5736)

February 14, 2019

Overview

CVE-2019-5736 has been detected and remediation has been strategized, as detailed here.

This vulnerability relies on an unsafe container configuration known as privileged containers.

SmartOS is immune to this attack. While Triton and SmartOS implement the same interface as Docker, the runC program that is used on Linux is not used in SmartOS. SmartOS is immune to similar vulnerabilities that may exist in any other program because the SmartOS handles per-zone identity in a stricter fashion than Linux privileged containers. That is, SmartOS zones never consider root in a zone to be equivalent to root in the global zone.

However, if you are using Docker or Kubernetes within KVM or bhyve virtual machines, please see the “Actions You Need to Take” section below.

Actions Taken by Joyent

Because SmartOS is immune to this class of attack, no action is required on Joyent’s part.

Actions You Need to Take

Triton Enterprise Software Users

If you are using Docker or Kubernetes within KVM or bhyve virtual machines, this vulnerability is applicable. To remediate this vulnerability, follow the guest operating system vendor’s recommendations.

SmartOS users are not affected by this vulnerability, as noted in the “Overview” above.

Triton Public Cloud Users

SmartOS users are not affected by this vulnerability, as noted in the “Overview” above.

Open Source Triton Users

Please direct any further questions to The SmartOS Community Mailing Lists and IRC.

Support

If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

As noted above, if you are an Open Source Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.