What news from AWS re:Invent last week will have the most impact on you?
Amazon Q, an AI chatbot for explaining how AWS works.
Super-fast S3 Express storage.
New Graviton 4 processor instances.
Emily Freeman leaving AWS.
I don't use AWS, so none of this will affect me.
Containers / Open Source / Security

Docker Calls out Red Hat for Ambitious Marketing over Recent RunC Vulnerability

Jan 17th, 2017 2:08pm by
Featued image for: Docker Calls out Red Hat for Ambitious Marketing over Recent RunC Vulnerability

Red Hat and Docker are once again competitive frenemies after a disagreement in which the Docker chief technology officer criticized Red Hat for being a little too aggressive over in its marketing materials.

The dispute centered on the effects of a recently unearthed (and speedily corrected) bug in the open source runC container runtime engine. If nothing else, the dispute illustrates the boundaries of competitive marketing in the open source ecosystem (as well as that Docker co-founder Solomon Hykes‘ steadfast — and refreshing for us tech journos — refusal to stay behind the corporate public relations firewall).

This privilege escalation vulnerability was unearthed on January 2 by SUSE’s Aleksa Sarai and Docker’s Tõnis TiigiQuoteth the CVE:

RunC allowed additional container processes via runc exec to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

In other words, this bug could be used by a malicious hacker to affect operations of a host from inside a container.

RunC is the basic core container runtime engine for Docker’s container software. Docker Inc. had open sourced runC and bequeathed it to the Open Container Initiative. For this bug, runC’s maintainers had quickly issued a patch, and on January 10, Docker updated its own software, with the Docker 1.12.6 release, encouraging all users to update their copies (though other, non-Docker, implementations may still need to be patched).

Story over? Not so fast. A few days later, Red Hat consulting engineer Dan Walsh posted a blog item, entitled “Docker 0-Day Stopped Cold by SELinux,” asserting that those users who deployed SELinux, a Linux fine-grained access control framework included in Red Hat Enterprise Linux, would have been protected by any attacks stemming from this vulnerability.

“SELinux is the only thing that protects the host file system from attacks from inside of the container. If the processes inside of the container get access to a host file and attempt to read and write the content SELinux will check the access,” he wrote.

In a Hacker News forum created about the Red Hat post, someone, presumably at Docker, had called out Walsh for inferring that users did not need to upgrade to Docker 1.12.6, simply because SELinux supposedly would cover the vulnerability.

Hykes also weighed in as well, criticizing the Red Hat post for opportunistic marketing around the vulnerability.

“A few vendors (not just Red Hat) have incorrectly announced to their users that they didn’t need to upgrade to the latest version of Docker because their enterprise-grade commercial platform would ‘stop the vulnerability cold,’ he wrote.

Hykes also raised a number of other issues around the way the blog post was worded, pointing out that that runC is not a Docker product, but one of the OCI open source community, and that the vulnerability was not a zero-day. Zero-day means that the vulnerability was unknown to the vendor, though in this case, the maintainers, and Docker, had already issued a patch by the time Walsh’s post went live. All of these details added up, Hykes argued, to make “the vulnerability scarier.”

Behind the scenes, Docker had contacted Red Hat, according to spokespeople from both companies, to address these issues. And Red Hat changed the title of the post, to a more conservative “SELinux Mitigates container Vulnerability.”

In an e-mail with The New Stack, Red Hat evangelist Joe Brockmeier had admitted that the use of “zero-day” was inappropriate to describe this vulnerability. In his zest for SELinux, Walsh was a bit too dramatic in his description (Not surprising: Walsh is an ardent believer that SELinux should serve as a basic building block for production-level container security).

Brockmeier also pointed out that Red Hat is, in fact, encouraging its users to install the patch: “Users should absolutely update their systems. SELinux is just one tool in a more comprehensive defense-in-depth strategy that should be pursued.”

Of course, aggressive competitive marketing is nothing new in the field of IT — Red Hat competitors Oracle and Microsoft were masters of the form of the Fear, Uncertainty and Doubt a decade or two ago. But in the open source community, competitors are also collaborators, so the lines of competition are not so distinct, and aggressive marketing can come back to haunt its originator.

In fact, as of late last year, 19 runC contributors identify themselves as working for Red Hat, compared to 16 who identify as currently working for Docker.

TNS Technical Editor Benjamin Ball and TNS Research Analyst Lawrence Hecht contributed to this report. 

Docker and Red Hat are sponsors of The New Stack.

Feature image: Docker’s runC icon.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: The New Stack, Docker.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.