Docker vulnerability threatens cloud security
Users warned to update as soon as possible


Docker application containerisation software users have been urged to update the software following the discovery of a couple of vulnerabilities that could affect the security of clouds running on the technology.
The bug affects all versions of the software up to and including version 1.3.1.
"No remediation is available for older versions of Docker and users are advised to upgrade," the company said in a security advisory.
A couple of flaws were noted on the Openwall website, CVE-2014-6407 and CVE-2014-6408.
The first relates to an archive extraction allowing host privilege escalation. This flaw affects versions of Docker up to 1.3.1.
The advisory said the Docker Engine was vulnerable to extracting files to arbitrary paths on the host during ‘docker pull’ and ‘docker load’ operations. This was caused by symlink and hardlink traversals present in Docker's image extraction. “This vulnerability could be leveraged to perform remote code execution and privilege escalation,” the advisory stated.
The second flaw, CVE-2014-6408, affects Docker versions 1.3.0 through 1.3.1 and allows security options to be applied to images, allowing the default run profile of containers to be altered and - in turn - execute these images. “This vulnerability could allow a malicious image creator to loosen the restrictions applied to a container’s processes, potentially facilitating a break-out,” said the advisory.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Users have been advised to upgrade to version 1.3.2, which remedies the first flaw by carrying out additional checks to pkg/archive and image extraction. For the second flaw the newest version has security options applied to images that are no longer consumed by the Docker engine.
It added the latest release of the Docker Engine would also allow administrators to pass a CIDR-formatted range of addresses for '—insecure-registry'. “In addition, allowing a cleartext registry to exist on localhost is now default behaviour. This change was made due to user feedback following the changes made in 1.3.1 to resolve CVE-2014-5277,” the advisory stated.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
OpenAI just launched 'Codex', a new AI agent for software engineering
News OpenAI has unveiled the launch of a new AI agent, dubbed 'Codex', aimed specifically at supporting software engineering tasks.
-
Acer's new Swift Edge 14 AI is a MacBook Air killer
News Acer's new Swift Edge 14 AI is an ultra-lightweight, compact productivity powerhouse.