Critical Docker & Kubernetes Vulnerabilities and Key Open‑Source Updates You Must Know

Docker Alpine Privilege Escalation (CVE‑2019‑5021)

The CVE affects every Docker image based on Alpine Linux from version 3.3 onward because the default root account has an empty password, allowing attackers to obtain root privileges inside the container and potentially escape to the host. Affected Alpine‑based images include 3.3 through 3.9 and edge. The issue was fixed in Alpine 3.9.4; users should upgrade to that version or later. An example mitigation is shown in a Kubernetes‑CSI external‑provisioner pull request.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5021

Docker cp TOCTOU Vulnerability (CVE‑2018‑15664)

Reported by SUSE engineer Aleksa Sarai on May 29, this flaw allows an attacker with access to the docker cp command to race a symbolic‑link insertion during path resolution, resulting in a symlink on the host that the container can read or write as root. The exploit requires the attacker to have docker cp privileges; Alibaba Cloud’s container service disables this command by default via RBAC. Mitigations include disabling docker cp in multi‑tenant environments and applying AppArmor or similar restrictions to the Docker daemon. Detailed analysis is available in the CVE‑2018‑15664 report.

References: https://nvd.nist.gov/vuln/detail/CVE-2018-15664 https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use https://github.com/moby/moby/pull/39292 https://yq.aliyun.com/articles/70451

Kubernetes adopts Go modules from v1.15

Starting with version 1.15, Kubernetes switched from the legacy Godeps system to Go modules for dependency management. Go modules improve build speed, simplify cross‑platform reproducibility, and make it easier for other projects to depend on Kubernetes, reflecting a broader move toward modular architecture.

Reference: https://github.com/kubernetes/enhancements/blob/master/keps/sig-architecture/2019-03-19-go-modules.md

Envoy adds request‑mirror feature to Redis proxy

Envoy now supports request mirroring in its Redis proxy, allowing a configurable percentage of traffic to be duplicated while optionally filtering out read‑related commands.

Reference: https://github.com/envoyproxy/envoy/pull/7029

Envoy introduces route‑debug for dynamic routing

The new route‑debug capability lets users verify whether a request is correctly routed to a cluster, addressing the limitation of the existing static route‑table checker for xDS‑provided dynamic routes.

Reference: https://github.com/envoyproxy/envoy/pull/6893

Knative explores stateful‑serverless

An experimental project from Lightbend (the creators of Akka) aims to bring stateful services to Knative by combining an Akka cluster with persistent storage, demonstrated with a counter service and accompanied by conference videos.

References: https://github.com/lightbend/stateful-serverless https://www.youtube.com/watch?v=AOY8yRC6dVY https://www.youtube.com/watch?v=DTvXa-iqrfA&list=PLj6h78yzYM2PpmMAnvpvsnR4c27wJePh3&index=70

Istio 1.0 End‑of‑Life

According to Istio’s support policy, the 1.0 release will cease receiving security or critical bug fixes on June 19 2019, three months after the next LTS (1.1) was released on March 19. Users are strongly encouraged to upgrade to a newer LTS version.

Reference: https://istio.io/blog/2019/announcing-1.0-eol/

Cilium: BPF‑based Kubernetes Network Policy

Cilium implements Kubernetes network policies using the Linux kernel’s Berkeley Packet Filter (BPF) technology, offering strong security isolation and visibility. It is now a standard add‑on for Kubernetes clusters.

References: https://cilium.readthedocs.io/en/stable/intro/ https://kubernetes.io/docs/tasks/administer-cluster/network-policy-provider/cilium-network-policy/

Eventing Security Requirements in Knative

Knative defines three security boundaries for event handling: authentication/authorization between event providers and sources, token‑based authentication between ingress and the Broker, and token verification between Triggers and consumer services.

Reference: https://github.com/knative/eventing/issues/705

Service Mesh Development Trends

The article outlines recent product developments in Service Mesh, analyzes its growth trajectory, and discusses its core value in cloud‑native environments, drawing on Alibaba Cloud’s cloud‑native practice as a case study.

Reference: https://skyao.io/talk/201905-servicemesh-development-trend/