CloudBees Mesos recommendations for Docker CVE-2019-5736

Issue

On Monday, February 11, 2019, critical vulnerability, CVE-2019-5736 , was announced for Docker.

Environment

  • Your Mesos Cluster

Background

The CVE is CVE-2019-5736. The CVE is in the National Vulnerability Database CVE-2019-5736 awaiting analysis.

Update runc to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host.

Recommendations

1 . Restricting the docker agent User flag to be a non root user as described below

CloudBees recommends customers follow the recommendations provided to mitigate the risk.

Docker Agent Template should be modified where applicable to utilize the User option and set the UID to an non root user
such as 1000.

Modification to the Agent Template definition can be complete by modifying an Agent Template, either in Operation Center
or in one of your Managed Masters.

Choose Add -> User and specify the user in the form field.

Example for reference:

agentTemplateUserConfig

2 . Cloudbees updated AMI contains docker-runc 1.13.1 binary with a back port which addresses the security vulnerability

Updated AMI from March will be provided with the backport of docker-runc 

Worker Nodes: 
Utilize the worker-add operations and specify the worker_ami field with the updated AMI, older worker nodes can then be removed
via worker-disable and worker-remove

Controllers: 
Update the project.config with the new AMI and restarting controllers one by one to ensure master election isn't affected

3 . Manually patching affected controllers and nodes

 If you followed step 2 to use the new AMI, you do not need to do this step 3, since you already have the new AMI with the fix.

 Customers who wish to roll out the patched docker-runc manually or have a customer image can obtain the patched version here
 
 [Download link](https://s3.amazonaws.com/cloudbees-pse-dependencies-ci/runc-cve/runc-v1.13.1-amd64-no-memfd_create)
 
 Copy the file runc-v1.13.1-amd64-no-memfd_create to each controller/worker node in the cluster, and replace the existing
 docker-runc binary which is typically located in /usr/bin
 
 Example: 
    
 sudo mv /usr/bin/docker-runc /usr/bin/docker-runc.orig.$(date -Iseconds)
 sudo mv runc-v1.13.1-amd64-no-memfd_create /usr/bin/docker-runc
 sudo chmod 755 /usr/bin/docker-runc

Have more questions?

0 Comments

Please sign in to leave a comment.