The Channel logo


By | Neil McAllister 12th December 2014 22:14

Batten down the patches: New vuln found in Docker container tech

Last month's patch brought new privilege escalation flaw

More security woes plagued users of the Docker application containerization tech for Linux this week, after an earlier security patch was found to have introduced a brand-new critical vulnerability in the software.

The Docker 1.3.2 update, which was released in November to address critical bugs that could be exploited by an attacker via a malicious Docker image file, has now been supplanted by Docker 1.3.3, and all users of version 1.3.2 are urged to upgrade ASAP.

It seems that although the 1.3.2 patch introduced "chroot" sandboxing when uncompressing Docker images to close the earlier vuln, it brought with it yet another bug that could be exploited by including malicious .xz binaries in image files. The result is that an attacker can potentially execute arbitrary code with root-user privileges on affected systems.

As with the November vulnerability, the new bug was spotted by independent security researcher Tõnis Tiigi.

Such security problems have been a black eye for Docker, which is increasingly being eyed as a cleaner replacement for virtualization technology, particularly on cloud-hosted servers.

Earlier this month, Alex Polvi, CEO of CoreOS, which markets an eponymous Linux distribution for massive-scale server deployments, slammed Docker's security model as being "broken," adding that its daemon-driven design is "fundamentally flawed." CoreOS is now working on a simpler Docker alternative called Rocket.

For its part, Docker says it considers security to be "of paramount importance." Bug fixes, rather than new features, were the primary focus of version 1.4.0 of the software, which was released on Thursday simultaneous with version 1.3.3 and includes more than 180 fixes.

In a blog post, Docker senior engineering veep Marianna Tessel said, "In the future, we expect new execution engine plugins to offer more choice and greater granularity for our security-focused users."

She added that Docker introduced signed images into its repositories with version 1.3 and that it has proposed a trust system to help customers ensure that the images they are downloading are legit.

"As we grow, we will continue our investment in our security team, contributions, tooling and processes," Tessel said. "This investment will make Docker safer, helping it become a secure and trusted partner for our users." ®

comment icon Read 8 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe