Docker vulnerability exposed, users urged to upgrade for cloud security

Picture credit: iStockPhoto

Docker, the Linux container for run-anywhere apps, has a major vulnerability in all but the latest version of its software which can enable malicious code to extract hosted files.

The vuln, described as ‘critical’ in severity, was first spotted by Red Hat’s security researcher Florian Weimer and independent researcher Taunis Tiigi, with Docker crediting them in a security advisory.

“The Docker engine, up to and including version 1.3.1, was vulnerable to extracting files to arbitrary paths on the host during ‘Docker pull’ and ‘Docker load’ operations,” it reads. “This was caused by symlink and hardlink traversals present in Docker’s image extraction.

“This vulnerability could be leveraged to perform remote code execution and privilege escalation,” it added.

The advisory document noted there was no cure for this issue, and urged users to upgrade to the latest iteration.

This wasn’t the only bug in the system either. An issue which affects versions 1.3.0 and 1.3.1 allows a malicious image creator to modify the default run profile of containers – yet this has been fixed with the current version.

The problem arises when taking into account the vast majority of major cloud computing providers have partnered up with Docker in order to package sleek, secure applications on its platform. Microsoft announced its deal in October, with Google, Amazon Web Services and Rackspace also on board.

It’s easy to see why these vendors are buddying up; as Docker leverages the host’s operating system, there are no overheads or difficulties in spinning up virtual machines when shipping an application in its container. But like a lot of nascent products that are hitting the zeitgeist, it’s best to not get carried away on an untested system when security scare stories are just around the corner.

Users are urged to upgrade to version 1.3.2 as soon as they can, which they can find here.

Related Stories

Leave a comment

Alternatively

This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.