Elastic is aware of the runc vulnerability in older versions of Docker, and its potential impact on Elastic Cloud Enterprise (ECE) customers. This blog explains the risks and recommends actions for mitigating impact on affected environments.
Please note that while our Elasticsearch Service is based on ECE, it is continuously patched and monitored by our cloud team. No action is required from any Elasticsearch Service customers.
For hosts running older versions of Docker engine, the runc vulnerability allows gaining administrative privileges on the host through an attacker controlled image or a compromised container. For more information and a list of impacted versions, please read this Docker Security Update.
Potential Impact on ECE
ECE does not allow running arbitrary docker images. Further, it incorporates a number of controls to prevent privilege escalation within a container. These include running the Elastic Stack as a non-root user, and removing suid flag in the suid binaries (like “sudo”) for images shipped with ECE that are not EOL.
Since ECE is a software that allows managing Elasticsearch clusters in customer-owned infrastructure or cloud, ECE admins can naturally access and modify all deployments managed by ECE.
The users of deployments managed by ECE (e.g. an Elasticsearch user) cannot modify containers nor the images in ECE (prerequisites for a runc attack). With the protections in place as described above, the risk of privilege escalation is further reduced.
Recommended Actions for ECE
Elastic recommends upgrading Docker engine and monitoring runc binaries on the hosts.
Customers running ECE 2.x should upgrade to the latest version of Docker Engine. Customers running ECE 1.x will need to upgrade to ECE 2.1, which is required to run on the latest version of Docker engine. Customers can perform host maintenance prior to initiating the upgrade. Customers should consider monitoring runc binary for any changes by running Auditbeat on hosts.
In general, it is important to keep up with the ECE upgrades to mitigate against these types of vulnerabilities. Please note that ECE 2.1 is fully backwards compatible with earlier versions and all of existing deployments and API usage will continue to work without changes.