Latest Container Vulnerabililty Creates Another Tempest in a Security Teapot

As containers grow in popularity, so, too, do security threats

The disclosure this week of a vulnerability that could be employed by cybercriminals to overwrite the host runc binary to gain control over a root-level code execution on the host machine is driving organizations to once again re-examine best DevSecOps practices in the cloud.

The CVE-2019-5736 vulnerability disclosed by Red Hat reveals a flaw in the open source runc command line utility, which is widely employed to spawn and run containers. In theory, cybercriminals could take advantage of this flaw to inject a malicious container that would be allowed to access the host filesystem.

Scott McCarty, principal product manager for containers as Red Hat, says that while CVE-2019-5736 is a serious vulnerability, it’s nothing outside the norm of the vulnerabilities that are disclosed regularly by vendors and the open source community. From a cybersecurity perspective, the discovery of the CVE-2019-5736 flaw is simply more business as usual, he says.

While IT organizations should make sure they patch this specific flaw, it’s only likely to become an issue if the organization is downloading containers from an untrusted source, McCarty says, noting most enterprise IT organizations are not likely to employ containers they haven’t validated. This might be an issue for smaller organizations that haven’t implemented best practices, he adds.

It’s also critical for organizations to employ host operating systems such as SELinux that don’t allow untrusted containers to run in the first place, he says. CVE-2019-5736 also reinforces the need for better support for multi-tenancy within a container platform, which serves to provide greater isolation between containers running on the same system.

Despite this disclosure and a Kubernetes security flaw that was addressed last month, containerized applications on the whole are still more secure than traditional monolithic applications, which rely on antiquated patch management processes to update the entire application. Containerized applications make it much easier to update an application by ripping and replacing the containers that make up a microservice.

Most organizations have cybersecurity concerns when considering adoption of any emerging technology. Containers are no exception to that rule. There always will be cybersecurity issues that need to be addressed. But rather than shying away from emerging technologies, savvy IT organizations that have embraced containers can take advantage of best DevSecOps processes to deal with these issues adroitly. In contrast, many monolithic applications are often not patched for months, sometimes years, after a vulnerability is disclosed.

Many cybersecurity professionals are still coming up to speed on what containers are and their implications to cybersecurity in general. DevOps teams would be well-advised to engage those cybersecurity teams proactively to help them overcome a natural fear of the unknown they are likely to have. After all, when it comes to cybersecurity, the only real thing to fear when it comes to containers is as always fear itself.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1439 posts and counting. See all posts by Mike Vizard