First published: Sat Mar 23 2019(Updated: )
A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Mesos | >=1.4.0<1.4.3 | |
Apache Mesos | >=1.6.0<1.6.2 | |
Apache Mesos | >=1.7.0<1.7.2 | |
Apache Mesos | =1.8.0-dev | |
Redhat Fuse | =7.5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-0204 is a vulnerability in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1 that allows a malicious actor to gain root access to the system.
CVE-2019-0204 is classified as critical with a severity score of 8.8 out of 10.
To check if your system is affected by CVE-2019-0204, verify if you have Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, or 1.7.0 to 1.7.1 installed.
To fix CVE-2019-0204, update your Apache Mesos to version 1.4.3, 1.5.3, 1.6.2, 1.7.2, or 1.8.0, depending on your currently installed version.
For more information about CVE-2019-0204, you can refer to the following references: - [CVE-2019-0204 on the Apache Mesos mailing list](https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3E) - [CVE-2019-0204 on Bugzilla Red Hat](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1692756) - [Red Hat Security Advisory RHSA-2019:3892](https://access.redhat.com/errata/RHSA-2019:3892)