The open-source Docker container virtualization technology has emerged as one of the hottest and most hyped technologies of the year. Docker, however, isn’t immune from security vulnerabilities, as a pair of recent updates illustrate.
On Nov. 24, the Docker open-source project released version 1.3.2, fixing a pair of critical security vulnerabilities. One of the issues, identified as CVE-2014-6407, is a host privilege escalation flaw.
“The Docker engine, up to and including version 1.3.1, was vulnerable to extracting files to arbitrary paths on the host during ‘docker pull’ and ‘docker load’ operations,” Docker warned in its security advisory. “This vulnerability could be leveraged to perform remote code execution and privilege escalation.”
The second issue patched in Docker 1.3.2, identified as CVE-2014-6408, is vulnerability related to how security options were connected to images.
“This vulnerability could allow a malicious image creator to loosen the restrictions applied to a container’s processes, potentially facilitating a break-out,” Docker warned in its advisory.
The two critical security updates in Docker 1.3.2 aren’t the only recent fixes of serious vulnerabilities in Docker either. Docker 1.3.2 follows Docker 1.3.1, which debuted on Oct. 30 with a critical security fix for a vulnerability identified as CVE-2014-5277. CVE-2014-5277 is what is known as a downgrade attack and could have potentially changed (or downgraded) a secure HTTPS encrypted connection to an unsecure and unencrypted HTTP connection.
According to a Red Hat Bugzilla entry on CVE-2014-5277, the vulnerability “allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.”
That’s a very serious nontrivial risk. An attacker could relatively easily force the downgrade attack and compromise the container.
In the container model, instead of a separate operating system for each virtual application, the Docker engine sits on top of a single host operating system. The basic idea is that operating system-based security, which in Linux includes multiple tools such as cgroups (control groups) and Linux namespaces, is used to help enforce isolation and multitenant security.
What the Docker 1.3.1 and 1.3.2 updates show is that even with host-based security, there still can be container-level risks.
The 1.3.1 and 1.3.2 updates also demonstrate that the open-source Docker project has an effective and active security community. Of all the vulnerabilities fixed in Docker 1.3.1 and 1.3.2, none was a zero-day flaw and there are no public reports of any exploitation in the wild.
Third-party security vendors didn’t report all of the security issues. In the case of the CVE-2014-5277 issue fixed in Docker 1.3.1, Docker founder Solomon Hykes is credited with the discovery of the issue.
The simple truth of security is this: Vulnerabilities will always be found. Finding and fixing those vulnerabilities quickly, without exposing users to unnecessary risk, is not always easy, but it’s something that the Docker project with its recent updates has tried to achieve.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.