CVE-2019-5736 fix for Azure IoT Edge
Posted on 13 February 2019
Recently, a security vulnerability (CVE-2019-5736) was announced in runC, the low-level container runtime that supports Docker and associated container engines. The vulnerability allows a malicious container to escalate privileges on the host machine when a user runs the exec command to execute an operation in a running instance of that container.
Microsoft has built a new version of the Moby container runtime (v3.0.4) that includes the Open Container Initiative (OCI) update to address this vulnerability. We highly recommend that you update the container runtime on your IoT Edge device by using the following instructions, as applicable:
Linux Debian-based X64 (.deb):
- Follow the instructions to register to Microsoft key and software repository feed.
- sudo apt-get update
- sudo apt-get install moby-engine
Linux CentOS-based X64 (.rpm):
- curl -L https://aka.ms/moby-engine-x86_64-rpm-latest -o moby-engine-3.0.4-centos.x86_64.rpm
- sudo yum install -y ./moby-engine-3.0.4-centos.x86_64.rpm
Linux Debian-based ARM32 (for example, Raspberry Pi):
- curl -L https://aka.ms/moby-engine-armhf-latest -o moby_engine.deb
- sudo dpkg -i ./moby_engine.deb
Please update Docker Engine (18.09.2 or more recent) if you’re testing or developing with Docker instead of the Microsoft-built moby-engine.