May 30, 2019
This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.
Dear Rancher User,
Docker has announced a new vulnerability, CVE-2018-15664:
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
The fix for this vulnerability has not yet been published by Docker. Rancher is currently evaluating the Docker pull request that addresses this vulnerability for next steps. We expect to validate Rancher product versions with the Docker fix as it becomes available.
At Rancher, we want to make sure you are always updated with the latest security fixes and patches. Stay tuned for a follow-up email from us next week that has details on this fix.
If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.
Rancher Support Team