[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mesos-dev
Subject:    CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.
From:       Alex R <alexr () apache ! org>
Date:       2019-03-23 13:58:39
Message-ID: CAPNiXbGKyPHPtZXmv4FPprW6u5nd6JxNWOpJWOyjXE4oL=jNaw () mail ! gmail ! com
[Download RAW message or body]


Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Mesos 1.4.0 to 1.7.0
The unsupported Apache Mesos pre-1.4.0 releases may be also affected.

Description:
A specifically crafted Docker image running under the root user can
overwrite the init helper binary of the Mesos container runtime and/or
the Mesos command executor. A malicious actor can therefore gain
root-level code execution on the host.

Mitigation:
1.4.x users should upgrade to 1.4.3
1.5.x users should upgrade to 1.5.3
1.6.x users should upgrade to 1.6.2
1.7.x users should upgrade to 1.7.2
1.8-dev users should obtain Mesos 1.8.0 or latest snapshot of 1.8-dev

Credit:
This issue was discovered by Gilbert Song and Jie Yu based on similar RunC
vulnerability report, CVE-2019-5736.

Alex on behalf of Mesos PMC


[prev in list] [next in list] [prev in thread] [next in thread]