Updates re CVE-2019-5736: runc / lxc container escape vulnerability

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
3,390
523
113
it only affects privileged containers.

https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pct_settings
Privileged Containers
Security is done by dropping capabilities, using mandatory access control (AppArmor), SecComp filters and namespaces. The LXC team considers this kind of container as unsafe, and they will not consider new container escape exploits to be security issues worthy of a CVE and quick fix. So you should use this kind of containers only inside a trusted environment, or when no untrusted task is running as root in the container.

Unprivileged Containers
This kind of containers use a new kernel feature called user namespaces. The root UID 0 inside the container is mapped to an unprivileged user outside the container. This means that most security issues (container escape, resource abuse, …) in those containers will affect a random unprivileged user, and so would be a generic kernel security bug rather than an LXC issue. The LXC team thinks unprivileged containers are safe by design.
also see https://brauner.github.io/2019/02/12/privileged-containers.html

lxc-pve 3.1.0-3 contains the fix (currently available in pvetest)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!