A nasty vulnerability has been discovered in the Docker application containerization software for Linux that could allow an attacker to gain elevated privileges and execute code remotely on affected systems.
The bug, which has been corrected in Docker 1.3.2, affects all previous versions of the software.
More ReadingDocker hires'n'acquires to cure its security, networking headachesBatten down the patches: New vuln found in Docker container techDocker grabs conductor's baton, jumps into cluster orchestrationCoreOS's Docker-rival Rocket: We drill into new container contenderPart 3: Docker vs hypervisor in tech tussle SMACKDOWN
"No remediation is available for older versions of Docker and users are advised to upgrade," the company said in a security advisory on Monday.
The flaw, which has been assigned CVE-2014-6407, relates to how the Docker engine handles file-system image files. Previous versions of the software would blindly follow symbolic and hard links in image archives, which could have allowed an attacker to craft a malicious image that wrote files to arbitrary directories on disk.
Docker 1.3.2 performs additional checks on images before extracting them, and the extraction itself now takes place inside a "chroot" sandbox environment, where it only has limited access to the file system.
Docker credits Red Hat's Florian Weimer and independent researcher Tõnis Tiigi for spotting the flaw.
But if fixing that little showstopper isn't reason enough for you to upgrade, Monday's security disclosure also describes a second critical bug, CVE-2014-6408, this one affecting only Docker versions 1.3.0 and 1.3.1.
Those versions of the software would accept and act upon security options that were applied to Docker images, which could allow a malicious image to loosen the security restrictions applied to the container that's executing the image. Under the right circumstances, that in turn could let a malicious program break free of its container and affect the host system itself.
Right, so upgrade it shall be, then.
Docker says version 1.3.2 is available now for all supported platforms. That's a long list, but upgrade instructions are available for many of them here. ®