Docker Updates for Three Security Vulnerabilities | eWeek

Docker Updates for Three Security Vulnerabilities

docker security updates
Dec 15, 2014
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

The open-source Docker project has updated the Docker engine for container virtualization to version 1.3.3, fixing a trio of security vulnerabilities. The security advisories for the Docker vulnerabilities were first publicly released on Dec. 11 although not every vendor in the Docker ecosystem has been in a hurry to update.

Docker has emerged over the course of 2014 to become a popular technology for application virtualization and now has the support of Amazon, IBM, VMware, Microsoft and Red Hat, among others.

One of the issues fixed in Docker 1.3.3 is identified as CVE-2014-9357 and is a privilege-escalation flaw that was introduced in the Docker 1.3.2 update. Docker 1.3.2 debuted on Nov. 24, providing users with a pair of security updates.

“It has been discovered that the introduction of chroot for archive extraction in Docker 1.3.2 had introduced a privilege escalation vulnerability,” Docker warned in its advisory. “Malicious images or builds from malicious Dockerfiles could escalate privileges and execute arbitrary code as a privileged root user on the Docker host by providing a malicious ‘xz’ binary.”

The other two security updates in the Docker 1.3.3 update are for what are known as path traversal vulnerabilities. In a path traversal attack, the attacker is able to gain unauthorized access to files outside the normal folders for which a given user has authorized access. One of the path traversal flaws is identified as CVE-2014-9356.

“This vulnerability allowed malicious images or builds from malicious Dockerfiles to write files to the host system and escape containerization, leading to privilege escalation,” Docker warned in its advisory for CVE-2014-9356.

The second path traversal issue is identified as CVE-2014-9358, which was the result of the Docker engine not fully validating image IDs.

While the open-source Docker project issued its updates on Dec. 11, on Dec. 12, Red Hat was promoting the availability of Docker-1.3.2-4 for its Red Hat Enterprise Linux (RHEL) Atomic Host operating system. Atomic Host is a version of Red Hat’s flagship Linux platform that has been optimized for Docker container application delivery.

As to why Red Hat did not immediately provide its RHEL Atomic Host users with Docker 1.3.3, Dan Walsh, consulting engineer at Red Hat, responded to eWEEK via Twitter that the CVEs were not considered serious.

Lars Herrmann, senior director, strategy, at Red Hat, told eWEEK via email that Red Hat issued bug advisory RHBA-2014:1977-1 on Dec. 10. The CVE-2014-9358 vulnerability, which was patched by the upstream open-source Docker project in the Docker 1.3.3 release, is part of the Red Hat bug advisory and patched in the Docker-1.3.2-4 update. The other two flaws, CVE-2014-9356 and CVE-2014-9358, were not part of Red Hat’s update.

“The CVEs that are not addressed in this RHBA are not considered problematic,” Herrmann stated. “The bottom line is that for customers who are using systems properly, including using container images from only trusted sources, two of the CVEs identified will not affect them.”

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.