VMware has provided patches to the latest bug impacting to the runc container runtime which can affect to the VMware container based applications. Basically, this vulnerability allows attackers to overwrite the host runc binary and obtain the host root access to execute commands with root privileges or run Docker exec on the host. This fix mainly address to the version of Docker deployed by PKS to v18.06.2-ce.

This has been referenced under VMSA-2019-0001.1 (.2 and .3) Security Advisory and released relevant patches to mitigate the security threat which can harm to your containerized environment.

Which VMware Products Affected With This?

Patches have been released to the below affected VMware Products:

VIO-K : VMware Integrated OpenStack with Kubernetes

PKS : VMware PKS

CSE : VMware vCloud Director Container Service Extension

VIC : vSphere Integrated Containers

To mitigate the risk of the this vulnerability above containerized solutions should be patched with the updated versions, but VMware Integrated OpenStack with Kubernetes (VIO-K) and vSphere Integrated Containers (VIC) is still pending for the patches at the time of writing this article.

Update as of 23/02/2019

Patches for VMware PKS (PKS)

Please note that the initial advisory release incorrectly mentioned that VMware PKS 1.3.2 and VMware PKS 1.2.9 patches are resolving the CVE-2019-5736 , please find the below corrected patches for VMware PKS

VMware PKS 1.3.3 and VMware PKS 1.2.10 Patches should be applied in order to mitigate the vulnerability and supported upgrade paths are listed as below :

Upgrading from PKS 1.3.1 or 1.3.2 are supported (1.3.1 or 1.3.2 -> 1.3.3)

Upgrading from PKS 1.2.x to PKS 1.2.8 or 1.2.9 are supported (1.2.8 or 1.2.9 -> 1.2.10

For more information about PKS 1.3.3 please refer the release notes here and PKS 1.2.10 release notes here.

Patches for VMware vCloud Director Container Service Extension (CSE)

Container Service Extension version 1.2.7 should be applied to the VMware vCloud Director Container Service

Update as of 19/02/2019

Patches for vSphere Integrated Containers (VIC)

VMware has updated and released the patches for vSphere Integrated Containers, patch version 1.5.1 should be installed to mitigate the risk of VIC