A flaw in runC and Docker may allow access to underlying file systems when SELinux is not enabled. Credit: Sandra Henry-Stocker Red Hat announced a vulnerability this morning – one that can be exploited if a user runs malicious or modified containers. The flaw in runC (a lightweight portable container runtime) and Docker that this vulnerability exposes allows an attacker to escape a container and access the underlying file system. That might sound bad, but there’s more. The good news is that this vulnerability cannot be exploited if SELinux is enabled and that this is the default on Red Hat systems. To check whether your Red Hat system is enforcing SELinux, use one of the following commands: $ /usr/sbin/getenforce Enforcing $ sestatus SELinux status: enabled This vulnerability also requires local access to the system. Affected Red Hat systems include: Red Hat OpenShift Container Platform 3.x Red Hat OpenShift Online Red Hat OpenShift Dedicated Red Hat Enterprise Linux 7 The status of the vulnerability is rated as IMPORTANT. To see descriptions of this and other possible vulnerability security ratings, visit Issue Severity Classification page. To review SELinux security modes and commands for moving between them, visit this PERMANENT CHANGES IN SELINUX STATES AND MODES. Instructions to customers will be continuallly updated at updates. A blog post outlining the vulnerability, it’s impact on operations, and Red Hat’s work with SELinux is also available at It starts with Linux. Closing thoughts Scott McCarty, principal product manager, Containers at Red Hat put out this important reminder: “This vulnerability (CVE-2019-5736) demonstrates that container security is Linux security. The same steps that must be taken to better secure a Linux system need to be taken with container hosts and images, preferably by constructing layers of defense. In this particular case, SELinux mitigates the escape and buys users valuable time to patch and shows just how important the selection of each layer of your container environment can be, from Kubernetes orchestration with OpenShift down to the Linux kernel in Red Hat Hat Enterprise Linux.” Related content brandpost Sponsored by Zscaler NYC Department of Education builds the pipeline for future cybersecurity professionals NYC Department of Education's innovative programs empower students through hands-on experience and partnerships in cybersecurity, paving the way for diverse career pathways and long-term success in the digital workforce. By Demond Waters, CISO, and Anthony Dixon, Director of Cybersecurity Engineering at the New York City (NYC) Department of Education (DOE) Oct 21, 2024 10 mins Security brandpost Sponsored by Zscaler Are Your Firewalls and VPNs the Weakest Link in Your Security Stack? In an era when traditional network perimeters no longer exist, it’s time to adopt the Zero Trust mantra, "never trust, always verify.” By Zscaler Oct 21, 2024 9 mins Security brandpost Sponsored by Zscaler 6 key mobile and IoT/OT attack trend findings Zscaler ThreatLabz analysis shows more than 100% growth in spyware, much of which can bypass multifactor authentication, and 45% growth in IoT attacks. By Will Seaton, Viral Gandhi, Yesenia Barajas Oct 18, 2024 6 mins Security news Admins warned to update Palo Alto Networks Expedition tool immediately Six holes in the configuration migration tool could allow theft of cleartext passwords and more. By Howard Solomon Oct 11, 2024 1 min Network Security Security PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe