VMware has fixes ready to go to handle mishandled file descriptor vulnerability in runc container runtime.

Products affected by the vulnerability, which the company labeled important, include: VMware Integrated OpenStack with Kubernetes (VIO-K); VMware PKS (PKS); VMware vCloud Director Container Service Extension (CSE), and vSphere Integrated Containers (VIC).

VMware Clears Critical Integer Overflow Hole
VMware Clears VM Escape Holes
VMware Plugs Hole in Virtual Graphics Card
VMware Patches ESXi, Workstation, Fusion Holes

Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host’s runc binary and execute arbitrary code.

Exploitation of this vulnerability requires the attacker to have existing permission to deploy containers or run docker exec. Alternatively, an attacker could trick a user with these permissions into deploying a malicious container or running docker exec for them.

Schneider Bold

Fixes include:
VMware PKS 1.3.2

VMware PKS 1.2.9

VMware vCloud Director Container Service Extension 1.2.7

Reference 1

Reference 2

Pin It on Pinterest

Share This