The Channel logo


By | Neil McAllister 25th November 2014 00:01

How secure is Docker? If you're not running version 1.3.2, NOT VERY

UPGRADE NOW to fix vuln found in all previous versions

A nasty vulnerability has been discovered in the Docker application containerization software for Linux that could allow an attacker to gain elevated privileges and execute code remotely on affected systems.

The bug, which has been corrected in Docker 1.3.2, affects all previous versions of the software.

"No remediation is available for older versions of Docker and users are advised to upgrade," the company said in a security advisory on Monday.

The flaw, which has been assigned CVE-2014-6407, relates to how the Docker engine handles file-system image files. Previous versions of the software would blindly follow symbolic and hard links in image archives, which could have allowed an attacker to craft a malicious image that wrote files to arbitrary directories on disk.

Docker 1.3.2 performs additional checks on images before extracting them, and the extraction itself now takes place inside a "chroot" sandbox environment, where it only has limited access to the file system.

Docker credits Red Hat's Florian Weimer and independent researcher Tõnis Tiigi for spotting the flaw.

But if fixing that little showstopper isn't reason enough for you to upgrade, Monday's security disclosure also describes a second critical bug, CVE-2014-6408, this one affecting only Docker versions 1.3.0 and 1.3.1.

Those versions of the software would accept and act upon security options that were applied to Docker images, which could allow a malicious image to loosen the security restrictions applied to the container that's executing the image. Under the right circumstances, that in turn could let a malicious program break free of its container and affect the host system itself.

Right, so upgrade it shall be, then.

Docker says version 1.3.2 is available now for all supported platforms. That's a long list, but upgrade instructions are available for many of them here. ®

comment icon Read 7 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe