Severity: Important Vendor: The Apache Software Foundation
Versions Affected: Apache Mesos 1.4.0 to 1.7.0 The unsupported Apache Mesos pre-1.4.0 releases may be also affected. Description: A specifically crafted Docker image running under the root user can overwrite the init helper binary of the Mesos container runtime and/or the Mesos command executor. A malicious actor can therefore gain root-level code execution on the host. Mitigation: 1.4.x users should upgrade to 1.4.3 1.5.x users should upgrade to 1.5.3 1.6.x users should upgrade to 1.6.2 1.7.x users should upgrade to 1.7.2 1.8-dev users should obtain Mesos 1.8.0 or latest snapshot of 1.8-dev Credit: This issue was discovered by Gilbert Song and Jie Yu based on similar RunC vulnerability report, CVE-2019-5736. Alex on behalf of Mesos PMC