CVE-2019-5736 and runC vulnerability in AKS

Posted on Wednesday, February 13, 2019

A security vulnerability was announced recently in runC, the low-level container runtime that supports Docker and associated container engines, which affects Azure Kubernetes Service (AKS). As a best practice, we'll apply the Open Container Initiative (OCI) update to applicable services that we maintain.

Microsoft has built a new version of the Moby container runtime that includes the OCI update to address this vulnerability. To consume that new container runtime release, you'll need to upgrade your Kubernetes cluster. Any upgrade will suffice, because it will ensure that all existing nodes are removed and replaced with new nodes that include the patched runtime. You can see the upgrade paths available to you by running the following command with the Azure CLI:

az aks get-upgrades -n myClusterName -g myResourceGroup

To upgrade to a given version, run the following command:

az aks upgrade -n myClusterName -g myResourceGroup -k <new Kubernetes version>

You can also upgrade from the Azure portal.

When the upgrade is complete, you can verify that you're patched by running the following command:

kubectl get nodes -o wide

If all of the nodes list docker://3.0.4 in the Container Runtime column, you have successfully upgraded to the new release.

Note that GPU-based nodes don't support the new container runtime yet. We'll provide another service update after a fix is available for those nodes.

Please refer to the AKS GitHub Hotfix Release.

  • Azure Kubernetes Service (AKS)
  • Security