The developers of Docker last week released new versions of the product to address several security issues, and they shared some information on the steps taken by the company to make the solution more secure.
In November, Docker released version 1.3.2 of the open platform utilized by developers and system admins to build, ship, and run distributed applications. Shortly after the release of Docker 1.3.2, researchers uncovered other vulnerabilities that can be exploited through a malicious Dockerfile, image, or registry to compromise a host, or to spoof official images.
The flaws have been addressed with the release of Docker 1.3.3. The fixes for the security holes are also included in Docker 1.4.0, in which new features have been added and a total of 180 commits for fixes have been merged.
Two of the three vulnerabilities fixed in the latest versions have been discovered by Estonia-based developer Tõnis Tiigi. One of the bugs, which can be exploited for privilege escalation, has been described as a path traversal issue in the processing of absolute symlinks (CVE-2014-9356).
“In checking symlinks for traversals, only relative links were considered. This allowed path traversals to exist where they should have otherwise been prevented. This was exploitable via both archive extraction and through volume mounts,” Docker said in an advisory. “This vulnerability allowed malicious images or builds from malicious Dockerfiles to write files to the host system and escape containerization, leading to privilege escalation.”
Another privilege escalation vulnerability discovered by Tiigi occurs during the decompression of LZMA archives (CVE-2014-9357). The flaw, introduced in Docker 1.3.2, allows malicious images or builds to escalate privileges and execute arbitrary code as root on the Docker host.
Docker 1.3.3 and Docker 1.4.0 also address a path traversal and spoofing issue (CVE-2014-9358) identified by Docker’s Eric Windisch.
“It has been discovered that Docker does not sufficiently validate Image IDs as provided either via ‘docker load’ or through registry communications. This allows for path traversal attacks, causing graph corruption and manipulation by malicious images, as well as repository spoofing attacks,” Docker explained in its advisory.
According to Marianna Tessel, Docker SVP of Engineering, the company is working on making enhancements to the security of the platform, and it’s doing its best to fix vulnerabilities as quickly as possible.
This summer, after a serious vulnerability was uncovered, Docker decided to call in a security firm to audit and test every major release of the product.
“Our goal is to have security fixes for the current stable release in the hands of our users absolutely as quickly as possible. Fixes, once prepared, are initially sent to an early disclosure notification list for review and for vendor preparedness in advance of public disclosure. This list includes Linux distributions and cloud providers,” Tessel said in a blog post.
Tessel says Docker appreciates the work of researchers who report security bugs in the platform. The company plans on creating a page for security advisories and a hall of fame for those who contribute to making the solution more secure. In the meantime, vulnerabilities can be reported to the organization via the email address [email protected].
The company also plans on rolling out some new features for security-focused users.
“Docker Engine takes advantage of the security mechanisms and isolation provided by the OS. This is pluggable, with support on Linux for namespaces, capabilities, and cgroups implemented through either libcontainer or lxc. In the future, we expect new execution engine plugins to offer more choice and greater granularity for our security-focused users,” Tessel said.
