Monday, 18 February 2019

Security Bulletin: IBM Cloud Kubernetes Service is affected by a privilege escalation vulnerability in runc

Following on from this: -

CVE-2019-5736

runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. 

IBM issued this: -

Security Bulletin: IBM Cloud Kubernetes Service is affected by a privilege escalation vulnerability in runc

...
IBM Cloud Kubernetes Service is affected by a security vulnerability in runc which could allow an attacker that is authorized to run a process as root inside a container to execute arbitrary commands with root privileges on the container’s host system.
...
Updates for IBM Cloud Kubernetes Service cluster worker nodes at versions 1.10 and later will be available shortly that fix this vulnerability.  Customers must update their worker nodes to address the vulnerability.  See Updating worker nodes for details on updating worker nodes.  To verify your cluster worker nodes have been updated, use the following IBM Cloud CLI command to confirm the currently running version:
...

I've got an IKS cluster running: -

https://cloud.ibm.com/containers-kubernetes/overview

so wanted to ensure that my worker node was suitably patched.

So, having logged into IBM Cloud: -

ibmcloud login ....

I checked my cluster: -

ibmcloud ks workers --cluster dmhIKSCluster

OK
ID                                                 Public IP       Private IP      Machine Type        State    Status   Zone    Version   
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1   192.168.153.123   10.94.221.198   u2c.2x4.encrypted   normal   Ready    dal10   1.11.6_1541*   

* To update to 1.11.7_1544 version, run 'ibmcloud ks worker-update'. Review and make any required version changes before you update: https://console.bluemix.net/docs/containers/cs_cluster_update.html#worker_node

and then updated the worker: -

ibmcloud ks worker-update --cluster dmhIKSCluster --workers kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1

Updating the worker node version can cause downtime for your apps and services. During the update, all pods might be rescheduled onto other worker nodes and data is deleted if not stored outside the pod. To avoid downtime, ensure that you have enough worker nodes to handle your workload while the selected worker nodes are updating.
You might need to change your YAML files for deployments before updating. Review the docs for details: https://console.bluemix.net/docs/containers/cs_cluster_update.html#worker_node
Are you sure you want to update your worker node [kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1] to 1.11.7_1544? [y/N]> y

Updating worker kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1...
OK

ibmcloud ks workers --cluster dmhIKSCluster

OK
ID                                                 Public IP       Private IP      Machine Type        State    Status   Zone    Version   
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1   192.168.153.123   10.94.221.198   u2c.2x4.encrypted   normal   Ready    dal10   1.11.6_1541 --> 1.11.7_1544 (pending)   

ibmcloud ks workers --cluster dmhIKSCluster

OK
ID                                                 Public IP       Private IP      Machine Type        State    Status   Zone    Version   
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1   192.168.153.123   10.94.221.198   u2c.2x4.encrypted   normal   Ready    dal10   1.11.6_1541 --> 1.11.7_1544 (pending)   

ibmcloud ks workers --cluster dmhIKSCluster

OK
ID                                                 Public IP       Private IP      Machine Type        State       Status                                                                Zone    Version   
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1   192.168.153.123   10.94.221.198   u2c.2x4.encrypted   reloading   Waiting for IBM Cloud infrastructure: Setup provision configuration   dal10   1.11.6_1541 --> 1.11.7_1544 (pending)   

ibmcloud ks workers --cluster dmhIKSCluster

OK
ID                                                 Public IP       Private IP      Machine Type        State    Status   Zone    Version   
kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1   192.168.153.123   10.94.221.198   u2c.2x4.encrypted   normal   Ready    dal10   1.11.7_1544   

So, after a small amount of time, I'm all updated.

Shortly afterwards, I received an email from IBM Cloud: -

...
The operating system reload is complete for computing instance kube-dal10-crbd60afb0c7ff4a98a4017fb784ee4e96-w1.cloud.ibm [192.168.153.123].
...

and my cluster is clean n' green.

Now to finish updating Docker elsewhere ... including on the Mac

No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...