Skip to main content

The Stack Clash Vulnerabilities Mitigated in Container Linux

Background on the Stack Clash

Security researchers at Qualys recently disclosed new techniques to exploit stack allocations on several operating systems, even in the face of a number of security measures. Qualys was able to find numerous local-root exploits — exploits which allow local users of a system to gain root privileges — by applying stack allocation techniques against various pieces of userspace software.

For more details about the exploit, refer to Qualys’ detailed writeup.

Impact for Container Linux Users

We are releasing updates for all channels that address this issue by patching the kernel for CVE-2017-1000364 and glibc for CVE-2017-1000366. The glibc fix repairs individual vulnerabilities in the Container Linux glibc, while the kernel change applies a broad mitigation for vulnerabilities of this type. The kernel mitigation should provide effective protection for the glibc attack vector in older container images, though we also recommend updating affected containers for defense in depth. This issue alone does not allow an attacker to escape from a container.

These updates are included in Container Linux stable v1409.2.0, beta v1437.1.0, and alpha v1451.0.0. The stable update is rolling out now and the alpha and beta updates will follow over the next two days. Users should let their systems automatically update, as usual.

If you have any questions, please get in touch via our mailing list or IRC channel.