CVE-2019-19921: 
Docker vulnerability analysis and mitigation

CVE-2019-19921 affects runc through version 1.0.0-rc9, involving an Incorrect Access Control vulnerability that can lead to Escalation of Privileges. The vulnerability is related to libcontainer/rootfs_linux.go. To exploit this vulnerability, an attacker must have the capability to spawn two containers with custom volume-mount configurations and be able to run custom images. Notably, this vulnerability does not affect Docker due to an implementation detail that blocks the attack (NVD).

The vulnerability involves a race condition with shared mounts during container initialization. An attacker can exploit this by adding a symlink to the rootfs that points to a directory on the volume. The second container won't be able to see the actual mount, but it can race it by modifying the mount point on the volume. The CVSS v3.1 base score is 7.0 (High), with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

If successfully exploited, this vulnerability can be used for a full container breakout by racing readonly/mask mounts, allowing writes to dangerous paths like /proc/sys/kernel/core_pattern. This could lead to privilege escalation and potential system compromise. SELinux would ordinarily prevent the exploit, but it can be bypassed by symlinking /proc/self/task/1/attr/exec to something benign like /proc/self/sched. AppArmor can be similarly bypassed (GitHub Issue).

The vulnerability was fixed in runc version 1.0.0-rc10. Docker is not affected by this vulnerability due to its implementation that mounts procfs after mounting volumes, which prevents the /proc approach. Organizations should upgrade to the fixed version of runc. For systems where immediate upgrading is not possible, careful control over container volume mount configurations and image execution permissions should be implemented (GitHub Issue).