Allele Security Alert
Processes run with `rkt enter` are not limited by cgroups during stage 2
Proof of concept
A flaw was found where rkt does not isolate processes in containers that are run with `rkt enter`. Processes run with `rkt enter` are not limited by cgroups during stage 2 (the actual environment in which the applications run). Compromised containers could exploit this flaw to access host resources.
Yuval Avrahami (Twistlock)
Breaking Out of rkt – 3 New Unpatched CVEs
Bug 1714434 (CVE-2019-10147) – CVE-2019-10147 rkt: processes run with `rkt enter` are not limited by cgroups during stage 2
Escaping like a Rocket via rkt enter
rkt enter lacks isolation features #3998
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 7, 2019