Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Blogs
    • Security Watch

    Docker Update Fixes Pair of Critical Security Flaws

    By
    Sean Michael Kerner
    -
    November 25, 2014
    Share
    Facebook
    Twitter
    Linkedin
      Docker

      The open-source Docker container virtualization technology has emerged as one of the hottest and most hyped technologies of the year. Docker, however, isn’t immune from security vulnerabilities, as a pair of recent updates illustrate.

      On Nov. 24, the Docker open-source project released version 1.3.2, fixing a pair of critical security vulnerabilities. One of the issues, identified as CVE-2014-6407, is a host privilege escalation flaw.

      “The Docker engine, up to and including version 1.3.1, was vulnerable to extracting files to arbitrary paths on the host during ‘docker pull’ and ‘docker load’ operations,” Docker warned in its security advisory. “This vulnerability could be leveraged to perform remote code execution and privilege escalation.”

      The second issue patched in Docker 1.3.2, identified as CVE-2014-6408, is vulnerability related to how security options were connected to images.

      “This vulnerability could allow a malicious image creator to loosen the restrictions applied to a container’s processes, potentially facilitating a break-out,” Docker warned in its advisory.

      The two critical security updates in Docker 1.3.2 aren’t the only recent fixes of serious vulnerabilities in Docker either. Docker 1.3.2 follows Docker 1.3.1, which debuted on Oct. 30 with a critical security fix for a vulnerability identified as CVE-2014-5277. CVE-2014-5277 is what is known as a downgrade attack and could have potentially changed (or downgraded) a secure HTTPS encrypted connection to an unsecure and unencrypted HTTP connection.

      According to a Red Hat Bugzilla entry on CVE-2014-5277, the vulnerability “allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic.”

      That’s a very serious nontrivial risk. An attacker could relatively easily force the downgrade attack and compromise the container.

      In the container model, instead of a separate operating system for each virtual application, the Docker engine sits on top of a single host operating system. The basic idea is that operating system-based security, which in Linux includes multiple tools such as cgroups (control groups) and Linux namespaces, is used to help enforce isolation and multitenant security.

      What the Docker 1.3.1 and 1.3.2 updates show is that even with host-based security, there still can be container-level risks.

      The 1.3.1 and 1.3.2 updates also demonstrate that the open-source Docker project has an effective and active security community. Of all the vulnerabilities fixed in Docker 1.3.1 and 1.3.2, none was a zero-day flaw and there are no public reports of any exploitation in the wild.

      Third-party security vendors didn’t report all of the security issues. In the case of the CVE-2014-5277 issue fixed in Docker 1.3.1, Docker founder Solomon Hykes is credited with the discovery of the issue.

      The simple truth of security is this: Vulnerabilities will always be found. Finding and fixing those vulnerabilities quickly, without exposing users to unnecessary risk, is not always easy, but it’s something that the Docker project with its recent updates has tried to achieve.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×