Date: Sat, 23 Mar 2019 14:58:41 +0100 From: Alex R <alexr@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible. Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Mesos 1.4.0 to 1.7.0 The unsupported Apache Mesos pre-1.4.0 releases may be also affected. Description: A specifically crafted Docker image running under the root user can overwrite the init helper binary of the Mesos container runtime and/or the Mesos command executor. A malicious actor can therefore gain root-level code execution on the host. Mitigation: 1.4.x users should upgrade to 1.4.3 1.5.x users should upgrade to 1.5.3 1.6.x users should upgrade to 1.6.2 1.7.x users should upgrade to 1.7.2 1.8-dev users should obtain Mesos 1.8.0 or latest snapshot of 1.8-dev Credit: This issue was discovered by Gilbert Song and Jie Yu based on similar RunC vulnerability report, CVE-2019-5736. Alex on behalf of Mesos PMC
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.