CloudBees Mesos recommendations for Docker CVE-2019-5736

Article ID:360024105572
2 minute readKnowledge base


On Monday, February 11, 2019, critical vulnerability, [CVE-2019-5736 ], was announced for Docker.


  • Your Mesos Cluster


The CVE is CVE-2019-5736. The CVE is in the National Vulnerability Database CVE-2019-5736 awaiting analysis.

Update runc to address a critical vulnerability that allows specially-crafted containers to gain administrative privileges on the host.


1 . Restricting the docker agent User flag to be a non root user as described below

CloudBees recommends customers follow the recommendations provided to mitigate the risk.

Docker Agent Template should be modified where applicable to utilize the User option and set the UID to an non root user such as 1000.

Modification to the Agent Template definition can be complete by modifying an Agent Template, either in Operation Center or in one of your Managed controllers.

Choose Add -> User and specify the user in the form field.

Example for reference:

2 . CloudBees updated AMI contains docker-runc 1.13.1 binary with a back port which addresses the security vulnerability

Updated AMI from March will be provided with the backport of docker-runc

Worker Nodes: Utilize the worker-add operations and specify the worker_ami field with the updated AMI, older worker nodes can then be removed via worker-disable and worker-remove

Controllers: Update the project.config with the new AMI and restarting controllers one by one to ensure controller election isn’t affected

3 . Manually patching affected controllers and nodes

If you followed step 2 to use the new AMI, you do not need to do this step 3, since you already have the new AMI with the fix.

Customers who wish to roll out the patched docker-runc manually or have a customer image can obtain the patched version here

Copy the file runc-v1.13.1-amd64-no-memfd_create to each controller/worker node in the cluster, and replace the existing docker-runc binary which is typically located in /usr/bin


sudo mv /usr/bin/docker-runc /usr/bin/docker-runc.orig.$(date -Iseconds) sudo mv runc-v1.13.1-amd64-no-memfd_create /usr/bin/docker-runc sudo chmod 755 /usr/bin/docker-runc