Docker Updates for Three Security Vulnerabilities

by Sean Michael Kerner

Docker 1.3.3 provides security updates although Red Hat doesn't consider the issues serious.

The open-source Docker project has updated the Docker engine for container virtualization to version 1.3.3, fixing a trio of security vulnerabilities. The security advisories for the Docker vulnerabilities were first publicly released on Dec. 11 although not every vendor in the Docker ecosystem has been in a hurry to update.

Docker has emerged over the course of 2014 to become a popular technology for application virtualization and now has the support of Amazon, IBM, VMware, Microsoft and Red Hat, among others.

One of the issues fixed in Docker 1.3.3 is identified as CVE-2014-9357 and is a privilege-escalation flaw that was introduced in the Docker 1.3.2 update. Docker 1.3.2 debuted on Nov. 24, providing users with a pair of security updates.

"It has been discovered that the introduction of chroot for archive extraction in Docker 1.3.2 had introduced a privilege escalation vulnerability," Docker warned in its advisory. "Malicious images or builds from malicious Dockerfiles could escalate privileges and execute arbitrary code as a privileged root user on the Docker host by providing a malicious 'xz' binary."

The other two security updates in the Docker 1.3.3 update are for what are known as path traversal vulnerabilities. In a path traversal attack, the attacker is able to gain unauthorized access to files outside the normal folders for which a given user has authorized access. One of the path traversal flaws is identified as CVE-2014-9356.

"This vulnerability allowed malicious images or builds from malicious Dockerfiles to write files to the host system and escape containerization, leading to privilege escalation," Docker warned in its advisory for CVE-2014-9356.

The second path traversal issue is identified as CVE-2014-9358, which was the result of the Docker engine not fully validating image IDs.

While the open-source Docker project issued its updates on Dec. 11, on Dec. 12, Red Hat was promoting the availability of Docker-1.3.2-4 for its Red Hat Enterprise Linux (RHEL) Atomic Host operating system. Atomic Host is a version of Red Hat's flagship Linux platform that has been optimized for Docker container application delivery.

As to why Red Hat did not immediately provide its RHEL Atomic Host users with Docker 1.3.3, Dan Walsh, consulting engineer at Red Hat, responded to eWEEK via Twitter that the CVEs were not considered serious.

Lars Herrmann, senior director, strategy, at Red Hat, told eWEEK via email that Red Hat issued bug advisory RHBA-2014:1977-1 on Dec. 10. The CVE-2014-9358 vulnerability, which was patched by the upstream open-source Docker project in the Docker 1.3.3 release, is part of the Red Hat bug advisory and patched in the Docker-1.3.2-4 update. The other two flaws, CVE-2014-9356 and CVE-2014-9358, were not part of Red Hat's update.

"The CVEs that are not addressed in this RHBA are not considered problematic," Herrmann stated. "The bottom line is that for customers who are using systems properly, including using container images from only trusted sources, two of the CVEs identified will not affect them."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Originally published on eWeek.
This article was originally published on Monday Dec 15th 2014
Mobile Site | Full Site