oss-security - CVE-2019-0204: Some Mesos components can be overwritten making arbitrary code execution possible.

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <CAPNiXbEebqXnrqodz2P6h0=_jFZGHTUXRR2Ps7umzaE=Y6nmFA@mail.gmail.com>
Date: Sat, 23 Mar 2019 14:58:41 +0100
From: Alex R <alexr@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-0204: Some Mesos components can be overwritten making
 arbitrary code execution possible.

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Mesos 1.4.0 to 1.7.0
The unsupported Apache Mesos pre-1.4.0 releases may be also affected.

Description:
A specifically crafted Docker image running under the root user can
overwrite the init helper binary of the Mesos container runtime and/or
the Mesos command executor. A malicious actor can therefore gain
root-level code execution on the host.

Mitigation:
1.4.x users should upgrade to 1.4.3
1.5.x users should upgrade to 1.5.3
1.6.x users should upgrade to 1.6.2
1.7.x users should upgrade to 1.7.2
1.8-dev users should obtain Mesos 1.8.0 or latest snapshot of 1.8-dev

Credit:
This issue was discovered by Gilbert Song and Jie Yu based on similar RunC
vulnerability report, CVE-2019-5736.

Alex on behalf of Mesos PMC

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.