The Cisco Product Security Incident Response Team (PSIRT) published the security advisory cisco-sa-20190215-runc which describes a high-severity vulnerability in Docker. Read the entire PSIRT team advisory for a full explanation of the vulnerability.
This vulnerability impacts all CDO customers:
- Customers using CDO's cloud-deployed Secure Device Connector (SDC) do not need to do anything as the remediation steps have already been performed by the CDO Operations Team.
- Customers using an SDC deployed need to upgrade their SDC host to use the latest Docker version. They can do so by using the following instructions:
Updating a CDO-Standard SDC Host
Use these instructions if you deployed a Secure Device Connector using CDO's VM image.
- Connect to your SDC host using SSH or the hypervisor console.
- Check the version of your Docker service by running this command:
- If you are running one of the latest virtual machines (VMs) you should see output like this:
> docker version Client: Version: 18.06.1-ce API version: 1.38 Go version: go1.10.3 Git commit: e68fc7a Built: Tue Aug 21 17:23:03 2018 OS/Arch: linux/amd64 Experimental: false
It's possible you may see an older version here.
- Run the following commands to update Docker and restart the service:
> sudo yum update docker-ce > sudo service docker restart
Note: There will be a brief connectivity outage between CDO and your devices while the docker service restarts.
- Run the docker version command again. You should see this output:
> docker version Client: Version: 18.09.2 API version: 1.39 Go version: go1.10.6 Git commit: 6247962 Built: Sun Feb XX 04:13:27 2019 OS/Arch: linux/amd64 Experimental: false
- You are done. You have now upgraded to the latest, and patched, version of Docker.
Updating a Custom SDC Host
If you have created your own SDC host you will need to follow the instructions to update based on how you installed Docker. If you used CentOS, yum and Docker-ce (the community edition) the preceding procedure will work.
If you have installed Docker-ee (the enterprise edtion) or used an alternate method to install Docker, the fixed versions of Docker may be different. You can check the Docker page to determine the correct versions to install: https://blog.docker.com/2019/02/docker-security-update-cve-2018-5736-and-container-security-best-practices/.
Cisco is continuing to evaluate this vulnerability and will update the advisory as additional information becomes available. After the advisory is marked Final, you can refer to the associated Cisco bug for further details: