RunC Exec Vulnerability (CVE-2016-9962)

January 10, 2017 · By Alex Crawford

Docker just released docker 1.12.6 with a fix for a vulnerability in RunC (CVE-2016-9962). The security advisory states:

RunC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

We've already starting rolling out updated versions of Docker in Container Linux 1235.6.0 (Stable), 1248.4.0 (Beta), and 1284.2.0 (Alpha) which include a fix for the vulnerability. Note that the docker version has not changed in each of these releases even though the vulnerability has been patched.

Container Linux enables automatic updates that make sure you are running the most up to date software. You can read more about our update philosophy here. By running docker on CoreOS, users get the benefit of getting security updates applied shortly after the patch is available.

If you have any questions or concerns, please join us in IRC.