Fluid Attacks Database

Description

Docker image code execution with Apache Mesos A specifically crafted Docker image running under the root user can overwrite the init helper binary of the container runtime and/or the command executor in Apache Mesos versions pre-1.4.x, 1.4.0 to 1.4.2, 1.5.0 to 1.5.2, 1.6.0 to 1.6.1, and 1.7.0 to 1.7.1. A malicious actor can therefore gain root-level code execution on the host.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.apache.mesos:mesos	>=0 <1.4.3 \|\| >=1.5.0 <1.5.3 \|\| >=1.6.0 <1.6.2 \|\| >=1.7.0 <1.7.2	1.4.3, 1.5.3, 1.6.2, 1.7.2

Aliases

1. CVE-2019-02042. NVD-2019-02043. OSV-2019-02044. GCVE-2019-02045. access.redhat.com

References

1. https://lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3E2. http://www.securityfocus.com/bid/107605

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.