CVE-2019-5736 fix for Azure IoT Edge

Posted on Wednesday, February 13, 2019

Recently, a security vulnerability (CVE-2019-5736) was announced in runC, the low-level container runtime that supports Docker and associated container engines. The vulnerability allows a malicious container to escalate privileges on the host machine when a user runs the exec command to execute an operation in a running instance of that container.

Microsoft has built a new version of the Moby container runtime (v3.0.4) that includes the Open Container Initiative (OCI) update to address this vulnerability. We highly recommend that you update the container runtime on your IoT Edge device by using the following instructions, as applicable:

Linux Debian-based X64 (.deb):

  1. Follow the instructions to register to Microsoft key and software repository feed.
  2. sudo apt-get update
  3. sudo apt-get install moby-engine

Linux CentOS-based X64 (.rpm):

  1. curl -L https://aka.ms/moby-engine-x86_64-rpm-latest -o moby-engine-3.0.4-centos.x86_64.rpm
  2. sudo yum install -y ./moby-engine-3.0.4-centos.x86_64.rpm

Linux Debian-based ARM32 (for example, Raspberry Pi):

  1. curl -L https://aka.ms/moby-engine-armhf-latest -o moby_engine.deb
  2. sudo dpkg -i ./moby_engine.deb

Please update Docker Engine (18.09.2 or more recent) if you're testing or developing with Docker instead of the Microsoft-built moby-engine.

Windows containers on Windows are not affected. 

  • Azure IoT Edge
  • Security