Linux Kernel memory cgroups escape via sctp - CVE-2019-3874

[Brandon Philips]

Hello Kubernetes Community-

A security issue was discovered in the Linux Kernel that affects cgroup memory isolation via the esoteric sctp network transport. The issue is Medium severity and blacklisting the sctp kernel module is encouraged to fix this issue.

**How do I mitigate the vulnerability?**

Instructions for Linux distributions may vary. But, these instructions should work for most.

Blacklist the sctp module on all hosts:

  echo "install sctp /bin/true" > /etc/modprobe.d/sctp.conf

Reboot the host if sctp module is loaded. You can test this with `lsmod | grep sctp`

**Am I vulnerable?**

We recommend you blacklist the sctp module first, see mitigation above, before running this test. If the sctp module is inserted a reboot is required to unload the module.

Run `modprobe sctp; lsmod | grep sctp` and if it says sctp you are potentially vulnerable.

**How do I upgrade?**

A Kernel patch is under development. However, blacklisting sctp and dccp, esoteric network protocols, is a common security practice and will protect users now and into the future.

**Vulnerability Details**

When a Pod runs as root it may bypass cgroup memory isolation; creating a potential DoS.

This issue is filed as CVE-2019-3874. See the CVE advisory for more details

**Thank you**

Thank you to Matteo Croce & Jason Sheperd for the notification.

Thank You,

Brandon on behalf of the Kubernetes Product Security Committee