Mirantis Container Runtime fixes Docker Engine vulnerability affecting upstream Moby
MCR 19.03 and later includes a security fix for the Docker Engine Authorization Plugin Vulnerability (CVE-2024-41110)
Open source software has opened a whole new world of possibilities and boundless innovation, which has helped build the cloud and modern technical infrastructure and services that we enjoy today. While open and available codebases provide an inherently secure environment — the same minds that develop the software as well as those that consume it concentrate their combined abilities to continuously scrutinize the security of the code — no system is perfect, and occasionally issues can escape into production environments. As a company committed to making open source safe and usable for enterprises, Mirantis takes extra steps to ensure that the open source components in our platforms are secure, effective, and ready for production, so we can give our customers peace of mind.
Reinstating a security fix in upstream releases
One such example is the recently resolved authorization plugin vulnerability (CVE-2024-41110) in the Moby project, the open source container framework that underlies Mirantis Container Runtime (MCR), Docker Swarm, and Docker Engine. Described in more detail in the Mirantis Technical Bulletin, this vulnerability could allow the compromise of systems running Docker under some circumstances. The history of this vulnerability is a rather interesting one, dating back to 2019. During that year, the issue was originally identified and resolved with Docker CE version 18.09.1, but later that same year version 19.03.0 was released, which lacked the mitigation for the vulnerability. Since then, many more releases of Moby have occurred which like version 19.03 lacked the mitigation code that was present in version 18.09.
During this time, Mirantis has increasingly participated in the open source community around the Moby project and has been maintaining MCR, which is an enterprise-grade container engine derived from the Moby community project and targeted at users that require FIPS 140-2 validated encryption, aggressive security fixes, feature stability, and enterprise support. Through all releases of MCR, Mirantis engineers have ensured that the mitigation for CVE-2024-41110 was present, providing MCR users protection from this vulnerability. Fast-forward to 2024, when during routine maintenance, those same Mirantis engineers discovered that the vulnerability that MCR protected against remained in community editions of Moby beyond the 19.03 codeline. To ensure the safety and security of the community at large, Mirantis notified key maintainers and actively led the effort to ensure that the vulnerability was quickly and broadly mitigated across all community Moby codelines.
Beware of false CVE warnings for MCR
It is important to note that some security scanners may report this vulnerability as present in the MCR product. This may occur for a variety of reasons, such as if your security scanner lacks updated vulnerability information, or if it can’t discern the secure MCR software from vulnerable community edition versions. Users of MCR can be assured that regardless of the assessment of a security scanner, no released versions of the Mirantis Container Runtime are vulnerable to this CVE. Mirantis continues to work with the relevant security organizations to ensure that over time, the scanners will report accurate vulnerability results for CVE-2024-41110 as it applies to the MCR product.
Open source software is an undisputed boon to technological progress as a result of the passion and creativity of the community that surrounds it. This is why Mirantis holds our responsibility to the open source community with utmost importance, actively monitoring and accelerating the delivery of code which benefits not only our customers, but the community as a whole, and ensures a safe and secure environment for everyone involved.
To learn more about Mirantis product security, read about our Product Security Incident Response Team.