@Vlastimil_Holer already answered many of your questions I will then answer the rest. Because those points 2 and 3 are related I will answer them together (below the TL;DR section).
- CVE is always danger, but sometimes the fix can be postponed - updated appliance will be soon.
- It is not so easy as yum/dnf update - yes, it can break your deployment.
If you provide kubernetes environment to the third party (clients) and have no real saying what it is running inside then some CVE can be potentially danger - user can escalate privileges etc.
If you are referencing to this: https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/ then there is also some guidance how to fix it. This is a severe and it will be fixed with the new release of appliance - soon - or you can fix it by yourself with some know-how.
We did not attempted to fix it at the time of release because the latest kubernetes version (at that time) did not support officially the fixed version of docker - we have chosen the path of a working and supported release from kubernetes.io. There is a new kubernetes version and this CVE should be fixed already.
For the upgrades - I believe that once you instantiate the VM it is your responsibility to manage it. So you should do upgrades of the underlying operating system. It is true that simple yum/dnf update could break things. Kubernetes is one of those project where updating can be painful and can break everything.
But if you disable kubernetes and docker repo then yum/dnf update should be safe - the point is to not touch docker.
The proper way how to upgrade kubernetes is here: https://kubernetes.io/docs/setup/release/notes/#urgent-upgrade-notes
We have been waiting for some feedback from the users so we did not have some set schedule to release updated appliances as of yet. But new updated kubernetes appliance is on the way.
Although, new updated appliance would not save you if you already have something deployed - you would have to redeploy you environment anyway.
So if you wish to have your VM up-to-date then you must learn how to do it (with kubernetes) or redeploy with new release of our appliance. There is a third option - to use some other kubernetes implementation like rancher’s rke which is designed to do seamless upgrades (they claim that - we did not test it) - but it is completely different project which reimplements kubernetes API. We could add it if there would be a demand.
I hope that I answered your question in satisfying way - the new updated kubernetes release will come in a matter of a week or two.
If you have other questions - keep asking. And sorry for the delay in our reply