Critical security flaw discovered in the Docker application
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
November 25, 2014
A critical security flaw has been discovered in the Docker application containerization software for Linux that could allow an attacker to gain elevated privileges and execute code remotely on affected systems.
The security hole, which has been corrected in Docker 1.3.2, affects all previous versions of the software.
"No remediation is available for older versions of Docker and users are strongly advised to upgrade as soon as possible," the company said in a security advisory yesterday.
The vulnerability, which has been assigned CVE-2014-6407, relates to how the Docker engine handles file-system image files.
Previous versions of the software would blindly follow symbolic and hard links in image archives, which could have allowed an attacker to craft a malicious image that wrote files to arbitrary directories on disk.
Docker 1.3.2 performs additional security checks on images before extracting them, and the extraction itself now takes place inside a chroot sandbox environment, where it only has limited access to the file system.
Docker credits Red Hat's Florian Weimer and independent researcher Tonis Tiigi for spotting the security issue.
But if fixing that little showstopper isn't reason enough for you to upgrade, Monday's security disclosure also describes a second critical bug, CVE-2014-6408, this one affecting only Docker versions 1.3.0 and 1.3.1.
Those versions of the software would accept and act upon security options that were applied to Docker images, which could allow a malicious image to loosen the security restrictions applied to the container that's executing the image.
Under the right circumstances, that in turn could let a malicious program break free of its container and affect the host system itself.
Docker says version 1.3.2 is available now for all supported platforms. That's a long list, but upgrade instructions are available for many of them on the website.
Source: The Docker Team.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!