Guidance on CVE-2018-15664 for Azure IoT Edge

Microsoft has built a new version of the Moby container runtime, v3.0.6, that includes an update to address a recently reported vulnerability, [CVE-2018-15664](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-15664). We recommend that you update the container runtime on your IoT Edge device, even though it does not affect standard IoT Edge devices. The product does not use the ‘docker cp’ command which is the point of attack. However, it’s possible that advanced scenarios are vulnerable. Modules that have been created with elevated privileges and a mounted docker socket are at a higher risk. More information on this vulnerability can be found [here](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-15664). Use the following instructions, as applicable, to update Moby. Linux Debian-based X64 (.deb): 1. Follow the [instructions ](https://docs.microsoft.com/en-us/azure/iot-edge/how-to-install-iot-edge-linux#register-microsoft-key-and-software-repository-feed)to register to Microsoft key and software repository feed. 2. sudo apt-get update 3. sudo apt-get install moby-engine Linux CentOS-based X64 (.rpm): 1. curl -L <https://aka.ms/moby-engine-x86%5F64-rpm-latest> \-o moby-engine-3.0.6-centos.x86\_64.rpm 2. sudo yum install -y ./moby-engine-3.0.6-centos.x86\_64.rpm Linux Debian-based ARM32 (for example, Raspberry Pi): 1. curl -L <https://aka.ms/moby-engine-armhf-latest> \-o moby-engine\_3.0.6\_armhf.deb 2. sudo dpkg -i ./moby-engine\_3.0.6\_armhf.deb Please update [Docker Engine (18.09.7 or more recent)](https://docs.docker.com/engine/release-notes/#18097) if you’re testing or developing with Docker instead of the Microsoft built moby-engine. Windows is not affected. * Azure IoT Edge * Security * [ Azure IoT Edge](https://azure.microsoft.com/en-gb/products/iot-edge/)