AppArmor Restriction Bypass in Docker and runc
CVE-2019-16884

7.5HIGH

Key Information:

Vendor: Linux
Status: Runc
Vendor: CVE Published:; 25 September 2019

What is CVE-2019-16884?

A vulnerability in runc, used by Docker, allows attackers to bypass AppArmor restrictions due to incorrect checks on mount targets in libcontainer/rootfs_linux.go. This flaw enables malicious Docker images to potentially mount over the crucial /proc directory, exposing sensitive information or compromising system security. Users of affected Docker versions should update to mitigate this risk.

References

https://github.com/opencontainers/runc/issues/2128

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 25, 2019
Vulnerability Reserved
Sep 25, 2019

Linux

What is CVE-2019-16884?

References

CVSS V3.1

Timeline