runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
IBM issued this: -
Security Bulletin: IBM Cloud Kubernetes Service is affected by a privilege escalation vulnerability in runc
Updates for IBM Cloud Kubernetes Service cluster worker nodes at versions 1.10 and later will be available shortly that fix this vulnerability. Customers must update their worker nodes to address the vulnerability. See Updating worker nodes for details on updating worker nodes. To verify your cluster worker nodes have been updated, use the following IBM Cloud CLI command to confirm the currently running version:
I've got an IKS cluster running: -
so wanted to ensure that my worker node was suitably patched.
So, having logged into IBM Cloud: -
ibmcloud login ....
I checked my cluster: -
ibmcloud ks workers --cluster dmhIKSCluster
ID Public IP Private IP Machine Type State Status Zone Version
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1 192.168.153.123 10.94.221.198 u2c.2x4.encrypted normal Ready dal10 1.11.6_1541*
* To update to 1.11.7_1544 version, run 'ibmcloud ks worker-update'. Review and make any required version changes before you update: https://console.bluemix.net/docs/containers/cs_cluster_update.html#worker_node