Rancher Security Advisory: CVE-2019-5736, Rancher supports Docker 18.09.2

Table of Contents

February 11, 2019

This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.

Dear Rancher Customer,

Due to CVE-2019-5736, Rancher is now officially supporting Docker 18.09.2 for Rancher v2.1.6, v2.0.11 and v1.6.26 releases. To see which Rancher version, OS version and Docker version is supported, please refer to the Rancher Support Matrix.

Please upgrade Docker to 18.09.2 for all nodes/hosts in Rancher.

Known Issues:

  • Nodes might go into an “Unavailable” state post Docker upgrade [#17916] – Workaround for each role is documented in the issue.

  • Ingress might not work post Docker upgrade [#17911] – Workaround: Restart the ingress controller.

  • In the UI, the Docker version of the nodes might not be updated post Docker upgrade [#17902] – Workaround: Add a label to the node to trigger a sync to nodes, which will cause the UI to update the Docker version of the nodes.

Patching runc in an older Docker version

If you are unable to upgrade Docker to 18.09.2, Rancher has provided a backport of runc binaries for older versions of Docker. Rancher has provided patches for Docker 1.12.6, 1.13.1, 17.03.2, 17.06.2, 17.09.1, 18.03.1, and 18.06.1.  This repository provides the patches and directions for how to patch runc for your Docker version.

RancherOS v1.4.3 and Rancher OS v1.5.1

In RancherOS v1.4.3 and v1.5.1, Rancher has patched runc in system-docker and user-docker versions that are included to address CVE-2019-5736.

In RancherOS v1.5.1, Rancher has added support for Docker 18.09.2.

Please upgrade to one of these RancherOS versions as soon as possible to get the patched versions of Docker. The Docker versions in User Docker for these RancherOS versions will have a patched version of Docker, but the list of Docker versions will be listed the same. To check that you have the patched User Docker version, the patched images will have a tag that appends `-1` to the os-docker image. For example, `rancher/os-docker:18.03.1-1` is the patched version of 18.03.1.

For more details on this vulnerability, also visit this Rancher blog post.

If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.

Rancher Support Team

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.