Docker application containerisation software users have been urged to update the software following the discovery of a couple of vulnerabilities that could affect the security of clouds running on the technology.
The bug affects all versions of the software up to and including version 1.3.1.
"No remediation is available for older versions of Docker and users are advised to upgrade," the company said in a security advisory.
A couple of flaws were noted on the Openwall website, CVE-2014-6407 and CVE-2014-6408.
The first relates to an archive extraction allowing host privilege escalation. This flaw affects versions of Docker up to 1.3.1.
The advisory said the Docker Engine was vulnerable to extracting files to arbitrary paths on the host during ‘docker pull’ and ‘docker load’ operations. This was caused by symlink and hardlink traversals present in Docker's image extraction. “This vulnerability could be leveraged to perform remote code execution and privilege escalation,” the advisory stated.
The second flaw, CVE-2014-6408, affects Docker versions 1.3.0 through 1.3.1 and allows security options to be applied to images, allowing the default run profile of containers to be altered and - in turn - execute these images. “This vulnerability could allow a malicious image creator to loosen the restrictions applied to a container’s processes, potentially facilitating a break-out,” said the advisory.
Users have been advised to upgrade to version 1.3.2, which remedies the first flaw by carrying out additional checks to pkg/archive and image extraction. For the second flaw the newest version has security options applied to images that are no longer consumed by the Docker engine.
It added the latest release of the Docker Engine would also allow administrators to pass a CIDR-formatted range of addresses for '—insecure-registry'. “In addition, allowing a cleartext registry to exist on localhost is now default behaviour. This change was made due to user feedback following the changes made in 1.3.1 to resolve CVE-2014-5277,” the advisory stated.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
