[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Docker 1.3.3 - Security Advisory [11 Dec 2014]
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Docker 1.3.3 - Security Advisory [11 Dec 2014]
- From: Eric Windisch <eric.windisch@xxxxxxxxxx>
- Date: Thu, 11 Dec 2014 21:11:57 -0500
Docker 1.3.3 has been released to address several vulnerabilities and is
immediately available for all supported platforms:
https://docs.docker.com/installation/
This release addresses vulnerabilities which could be exploited by a malicious
Dockerfile, image, or registry to compromise a Docker host, modify images, or
spoof official repository images. Note that today we also saw the release of
Docker 1.4.0, also containing these fixes. While version 1.3.3 is a
security-focused update, Docker 1.4.0 includes over 180 new commits, primarily
bug fixes.
It is highly recommended that users upgrade to Docker Engine 1.3.3 or higher.
Please send any questions to security@xxxxxxxxxx.
Docker Security Advisory [141211]
----------------------------------------------------------------------------------------------------------
=============================================================
[CVE-2014-9356] Path traversal during processing of absolute symlinks
=============================================================
Path traversal attacks are possible in the processing of absolute symlinks. In
checking symlinks for traversals, only relative links were considered. This
allowed path traversals to exist where they should have otherwise been
prevented. This was exploitable via both archive extraction and through volume
mounts.
This vulnerability allowed malicious images or builds from malicious
Dockerfiles to write files to the host system and escape containerization,
leading to privilege escalation.
We are releasing Docker 1.3.3 to address this vulnerability. Users are highly
encouraged to upgrade.
Discovered by Tõnis Tiigi.
===================================================================
[CVE-2014-9357] Escalation of privileges during decompression of LZMA (.xz)
archives
===================================================================
It has been discovered that the introduction of chroot for archive extraction
in Docker 1.3.2 had introduced a privilege escalation vulnerability. Malicious
images or builds from malicious Dockerfiles could escalate privileges and
execute arbitrary code as a privileged root user on the Docker host by
providing a malicious ‘xz’ binary.
We are releasing Docker 1.3.3 to address this vulnerability. Only Docker 1.3.2
is vulnerable. Users are highly encouraged to upgrade.
Discovered by Tõnis Tiigi.
=========================================================================
[CVE-2014-9358] Path traversal and spoofing opportunities presented through
image identifiers
=========================================================================
It has been discovered that Docker does not sufficiently validate Image IDs as
provided either via 'docker load' or through registry communications. This
allows for path traversal attacks, causing graph corruption and manipulation by
malicious images, as well as repository spoofing attacks.
We are releasing Docker 1.3.3 to address this vulnerability. Users are highly
encouraged to upgrade.
Discovered by Eric Windisch of Docker, Inc.