docker-ce v18.09.2 was just released that contains a fix for the aforementioned CVE.
It would be awesome if you guys can create another AMI release that contains the patched version of docker-ce.
Wasn't reading the security bulletin :)
https://aws.amazon.com/security/security-bulletins/AWS-2019-002/
Thanks for acting so quickly.
The tag v20190211 has the fix. AMI IDs are in the EKS docs
@micahhausler in fact you didn't patch this issue :(
As described here: https://alas.aws.amazon.com/ALAS-2019-1156.html docker version must be updated to docker-18.06.1ce-7.25.amzn1.x86_64 (to be honest I don't know why not directly 18.06.2 - https://docs.docker.com/engine/release-notes/#18062) but in the source code hardcoded version is still 17.06 - https://github.com/awslabs/amazon-eks-ami/blob/master/eks-worker-al2.json#L8
[ec2-user@ip-192-168-11-19 ~]$ sudo rpm -qa |grep docker
docker-17.06.2ce-2.amzn2.x86_64

[ec2-user@ip-192-168-11-19 ~]$ cat /etc/eks/release
BASE_AMI_ID="ami-df3b9da7"
BUILD_TIME="Thu Feb 7 00:10:43 UTC 2019"
BUILD_KERNEL="4.9.62-10.57.amzn2.x86_64"
AMI_NAME="amazon-eks-node-1.11-v20190211"
ARCH="x86_64"
This AMI was released with an internal patched version of runc. In the future, please do not report confirmed or suspected security issues on Github.
@micahhausler sorry to bother you but where it the proper place to do this as I still have doubts.
Please report any suspected or confirmed security issues to AWS Security https://aws.amazon.com/security/vulnerability-reporting/
@dawidmalina I can confirm that our AMIs listed today are patched.
why not put that info into changelog i spent hour searching if really those new amis are patched because ALAS had mentioned only docker18 patched while amis at least for 1.10 contain 17.06 there is no way to determine other than believe on your word or wait for expoits :) I see you changed templates to stop folks asking security questions, so just include that patches were delivered in changelog or provide some place on AWS where such info can be found.
Reporting vuln just to make sure it is patched seems like resource waste on both sides!
@gacopl We'll update the change log with a note
@micahhausler I build my own AMI based on the official AMI, so where can I get this patched version to patch my AMI as well? any details?
@micahhausler for clarity, if we use the build scripts/config in this repo will we end up with an ouput AMI that contains the patched version of runc?
@aly-aurea @vito-laurenza-zocdoc
Unfortunately the version of 17.06 in the amazon-extras repo does not contain the patch for CVE-2019-5736. We are recommending using Docker 18.06 for custom built AMIs. 18.06 was set as the default version of docker in #181.
Thank you @micahhausler 馃憤
Most helpful comment
why not put that info into changelog i spent hour searching if really those new amis are patched because ALAS had mentioned only docker18 patched while amis at least for 1.10 contain 17.06 there is no way to determine other than believe on your word or wait for expoits :) I see you changed templates to stop folks asking security questions, so just include that patches were delivered in changelog or provide some place on AWS where such info can be found.
Reporting vuln just to make sure it is patched seems like resource waste on both sides!