Docker vulnerability threatens cloud security

Visualisation of cloud with padlock inside, with hand reaching towards it from behind

Docker application containerisation software users have been urged to update the software following the discovery of a couple of vulnerabilities that could affect the security of clouds running on the technology.

The bug affects all versions of the software up to and including version 1.3.1.

"No remediation is available for older versions of Docker and users are advised to upgrade," the company said in a security advisory.

A couple of flaws were noted on the Openwall website, CVE-2014-6407 and CVE-2014-6408.

The first relates to an archive extraction allowing host privilege escalation. This flaw affects versions of Docker up to 1.3.1.

The advisory said the Docker Engine was vulnerable to extracting files to arbitrary paths on the host during ‘docker pull’ and ‘docker load’ operations. This was caused by symlink and hardlink traversals present in Docker's image extraction. “This vulnerability could be leveraged to perform remote code execution and privilege escalation,” the advisory stated.

The second flaw, CVE-2014-6408, affects Docker versions 1.3.0 through 1.3.1 and allows security options to be applied to images, allowing the default run profile of containers to be altered and - in turn - execute these images. “This vulnerability could allow a malicious image creator to loosen the restrictions applied to a container’s processes, potentially facilitating a break-out,” said the advisory.

Users have been advised to upgrade to version 1.3.2, which remedies the first flaw by carrying out additional checks to pkg/archive and image extraction. For the second flaw the newest version has security options applied to images that are no longer consumed by the Docker engine.

It added the latest release of the Docker Engine would also allow administrators to pass a CIDR-formatted range of addresses for '—insecure-registry'. “In addition, allowing a cleartext registry to exist on localhost is now default behaviour. This change was made due to user feedback following the changes made in 1.3.1 to resolve CVE-2014-5277,” the advisory stated.

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.