Homepage
About Snyk

Race Condition Affecting github.com/opencontainers/runc/libcontainer package, versions <1.0.0-rc10

0.0
medium

Snyk CVSS

    Attack Complexity High
    Confidentiality High

    Threat Intelligence

    EPSS 0.05% (16th percentile)
Expand this section
NVD
7 high
Expand this section
SUSE
7 high
Expand this section
Red Hat
7 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMOPENCONTAINERSRUNCLIBCONTAINER-540485
  • published 2 Jan 2020
  • disclosed 24 Dec 2019
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 24 Dec 2019

CVE-2019-19921 Open this link in a new tab
CWE-362 Open this link in a new tab

How to fix?

Upgrade github.com/opencontainers/runc/libcontainer to version 1.0.0-rc10 or higher.

Overview

github.com/opencontainers/runc/libcontainer is a package for a modern container runtime.

Affected versions of this package are vulnerable to Race Condition an attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization, by adding a symlink to the rootfs that points to a directory on the volume. The second container won't be able to see the actual mount, but it can race it by modifying the mount point on the volume.

This can be exploited for a full container breakout by racing readonly/mask mounts, allowing writes to dangerous paths like /proc/sys/kernel/core_pattern.