Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31420
HistoryDec 01, 2014 - 12:00 a.m.

Docker 1.3.2 - Security Advisory [24 Nov 2014]

2014-12-0100:00:00
vulners.com
18
JSON

Today, we are releasing Docker 1.3.2 in order to address two critical
security issues. This release also includes several bugfixes,
including changes to the insecure-registry option. Below are CVE
descriptions for the vulnerabilities addressed in this release.

Docker 1.3.2 is available immediately for all supported platforms:
https://docs.docker.com/installation/

Docker Security Advisory [24 Nov 2014]

=====================================================
[CVE-2014-6407] Archive extraction allowing host privilege escalation

Severity: Critical
Affects: Docker up to 1.3.1

The Docker engine, up to and including version 1.3.1, was vulnerable
to extracting files to arbitrary paths on the host during ‘docker
pull’ and ‘docker load’ operations. This was caused by symlink and
hardlink traversals present in Docker's image extraction. This
vulnerability could be leveraged to perform remote code execution and
privilege escalation.

Docker 1.3.2 remedies this vulnerability. Additional checks have been
added to pkg/archive and image extraction is now performed in a
chroot. No remediation is available for older versions of Docker and
users are advised to upgrade.

Related vulnerabilities discovered by Florian Weimer of Red Hat
Product Security and independent researcher, Tonis Tiigi.

=================================================================
[CVE-2014-6408] Security options applied to image could lead to
container escalation

Severity: Critical
Affects: Docker 1.3.0-1.3.1

Docker versions 1.3.0 through 1.3.1 allowed security options to be
applied to images, allowing images to modify the default run profile
of containers executing these images. This vulnerability could allow a
malicious image creator to loosen the restrictions applied to a
container’s processes, potentially facilitating a break-out.

Docker 1.3.2 remedies this vulnerability. Security options applied to
images are no longer consumed by the Docker engine and will be
ignored. Users are advised to upgrade.

=================================================================
Other changes:

Besides the above CVEs, the 1.3.2 release allows administrators to
pass a CIDR-formatted range of addresses for '—insecure-registry'. In
addition, allowing a cleartext registry to exist on localhost is now
default behavior. This change was made due to user feedback following
the changes made in 1.3.1 to resolve CVE-2014-5277.

Related

suse 1
nessus 6
fedora 2
amazon 1
openvas 9
oraclelinux 1
prion 5
ubuntucve 4
github 3
cve 5
veracode 2
osv 4
debiancve 4
cbl_mariner 2
redhatcve 1
redhat 1
securityvulns 1
suse
suse
Security update for docker (important)
2014-12-08 17:07:52
nessus
nessus
Oracle Linux 6 / 7 : docker (ELSA-2014-3095)
2014-12-06 00:00:00
openSUSE Security Update : docker (openSUSE-SU-2014:1596-1)
2014-12-09 00:00:00
Fedora 21 : docker-io-1.3.2-2.fc21 (2014-15779)
2014-12-04 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: docker-io-1.3.2-2.fc21
2014-12-03 17:16:16
[SECURITY] Fedora 20 Update: docker-io-1.4.1-6.fc20
2015-01-26 02:35:37
amazon
amazon
Critical: docker
2014-11-25 12:22:00
openvas
openvas
Amazon Linux: Security Advisory (ALAS-2014-454)
2015-09-08 00:00:00
Fedora Update for docker-io FEDORA-2014-15779
2015-01-05 00:00:00
openSUSE: Security Advisory for docker (openSUSE-SU-2014:1596-1)
2015-09-18 00:00:00
oraclelinux
oraclelinux
docker security and bug fix update
2014-12-05 00:00:00
prion
prion
Design/Logic Flaw
2014-12-12 15:59:00
Hardcoded credentials
2014-12-12 15:59:00
Authentication flaw
2014-11-17 16:59:00
ubuntucve
ubuntucve
CVE-2014-6408
2014-12-12 00:00:00
CVE-2014-6407
2014-12-12 00:00:00
CVE-2014-5277
2014-11-17 00:00:00
github
github
Access Restriction Bypass in Docker
2022-02-15 01:57:18
Arbitrary Code Execution in Docker
2022-02-15 00:41:12
Man-in-the-Middle (MitM)
2022-02-15 01:57:18
cve
cve
CVE-2014-6407
2014-12-12 15:59:00
CVE-2014-6408
2014-12-12 15:59:00
CVE-2014-5277
2014-11-17 16:59:00
veracode
veracode
Container Bypass
2017-05-03 08:59:15
Remote Code Execution (RCE)
2017-05-03 07:48:05
osv
osv
Access Restriction Bypass in Docker
2022-02-15 01:57:18
Arbitrary Code Execution in Docker
2022-02-15 00:41:12
Man-in-the-Middle (MitM)
2022-02-15 01:57:18
debiancve
debiancve
CVE-2014-6408
2014-12-12 15:59:00
CVE-2014-6407
2014-12-12 15:59:00
CVE-2014-5277
2014-11-17 16:59:00
cbl_mariner
cbl_mariner
CVE-2014-6407 affecting package moby-buildx 0.4.1-3
2021-07-08 21:56:42
CVE-2014-5277 affecting package moby-buildx 0.4.1-3
2021-07-08 21:56:42
redhatcve
redhatcve
CVE-2014-3605
2020-02-11 05:14:18
redhat
redhat
(RHSA-2015:0776) Moderate: docker security update
2015-04-02 00:00:00
securityvulns
securityvulns
Docker multiple security vulnerabilities
2014-12-22 00:00:00
JSON
Related for SECURITYVULNS:DOC:31420
suse1nessus6fedora2amazon1openvas9oraclelinux1prion5ubuntucve4github3cve5veracode2osv4debiancve4cbl_mariner2redhatcve1redhat1securityvulns1