====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN077

_____________________________________________________________________

DATE                : 01/04/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Mesos versions prior to
                               1.4.3, 1.5.3, 1.6.2, 1.7.2.

=====================================================================
http://mail-archives.apache.org/mod_mbox/mesos-user/201903.mbox/%3cCAPNiXbF1ZYsMjNeoHLqd5wS2Rr9F-5xmAeMYq0wMYrY2=QdkeA@mail.gmail.com%3e
_____________________________________________________________________

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Mesos 1.4.0 to 1.7.0
The unsupported Apache Mesos pre-1.4.0 releases may be also affected.

Description:
A specifically crafted Docker image running under the root user can
overwrite the init helper binary of the Mesos container runtime and/or
the Mesos command executor. A malicious actor can therefore gain
root-level code execution on the host.

Mitigation:
1.4.x users should upgrade to 1.4.3
1.5.x users should upgrade to 1.5.3
1.6.x users should upgrade to 1.6.2
1.7.x users should upgrade to 1.7.2
1.8-dev users should obtain Mesos 1.8.0 or latest snapshot of 1.8-dev

Credit:
This issue was discovered by Gilbert Song and Jie Yu based on similar
RunC vulnerability report, CVE-2019-5736.

Alex on behalf of Mesos PMC


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================