The disclosure of a security flaw (CVE-2019-5736) in runc and docker illustrates a bad scenario for many IT administrators, managers, and CxOs. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.
For many Red Hat end users, it’s unlikely that this flaw gets that far. IT organizations using Red Hat Enterprise Linux to underpin their Linux container and cloud-native deployments are likely protected, thanks to SELinux. This vulnerability is mitigated by the use of SELinux in targeted enforcing mode, which prevents this vulnerability from being exploited. The default for SELinux on Red Hat Enterprise Linux 7 is targeted enforcing mode and it is rarely disabled in a containerized environment.
This isn’t the first major flaw in a container runtime to come to light and, as container deployments and interest in associated technologies increase, it’s unlikely to be the last. Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like docker will now experience additional scrutiny from researchers and potentially malicious actors as well.
To me, the underlying message here is: Containers are Linux.
Not exactly a newsworthy statement, I know, but it’s something that can be easily forgotten in modern IT, especially with the relative ubiquity of cloud-based container services and “throwaway” operating systems serving as container hosts. No matter the other bells, whistles and shiny objects that surround your container infrastructure, if your host layer isn’t properly updated and secured, your operations are likely at risk.
As far as container runtimes go, runc is used by just about every container engine out there - it’s a fundamental component of even the most basic Linux container implementations as a low-level runtime. As you might suspect by the name, this is a function that actually “runs” a given container and there is tight coupling between the features offered in runc and the Linux kernel. The OCI Runtime Specification is based on runc, and the runtime is used across a wide range of container infrastructure and Kubernetes offerings, including Red Hat OpenShift Container Platform.
But Linux still serves as the foundation, and that foundation, as today’s vulnerability illustrates, still really matters. Red Hat Enterprise Linux is the bedrock for Red Hat’s entire portfolio of solutions, providing a more secure building block for traditional and cloud-native infrastructure deployments. The world’s leading enterprise Linux platform is configured with secure defaults, such as SELinux enabled and in enforcing mode, at installation.
This commitment to security at the most basic level of operations means that users of most Red Hat technologies are not affected by this vulnerability as long as SELinux is in enforcing mode. As noted earlier, this is a default setting on Red Hat Enterprise Linux as well as Red Hat OpenShift, meaning that many customers can be protected against specific vulnerabilities, like today’s, without doing anything on their end.
End users should still patch the affected components. As Red Hat subscribers, this should be a relatively painless process thanks to Red Hat’s expertise in delivering enterprise-grade open source solutions. We don’t just spit out patches direct from the community - we analyze, test, harden and validate the code before it makes to users of our products, helping to limit the potential issues that can arise from patching production systems.
As infrastructure becomes more dense and containerized processes and applications impact more than just isolated systems, layered security measures become very important. It’s not just about having a firewall or access control or a vulnerability content scanner - modern IT deployments require stepped security measures addressing all levels of a software stack.
And again, even with containers, it all starts with Linux.
To read more about the runc vulnerability, check out the Red Hat article about the vulnerability as well as remediation steps that users can take to fully patch the flaw.
Scott McCarty is principal product manager, Containers, at Red Hat.
저자 소개
At Red Hat, Scott McCarty is Senior Principal Product Manager for RHEL Server, arguably the largest open source software business in the world. Focus areas include cloud, containers, workload expansion, and automation. Working closely with customers, partners, engineering teams, sales, marketing, other product teams, and even in the community, he combines personal experience with customer and partner feedback to enhance and tailor strategic capabilities in Red Hat Enterprise Linux.
McCarty is a social media start-up veteran, an e-commerce old timer, and a weathered government research technologist, with experience across a variety of companies and organizations, from seven person startups to 20,000 employee technology companies. This has culminated in a unique perspective on open source software development, delivery, and maintenance.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.