Security Experts:

Connect with us

Hi, what are you looking for?



Docker Fixes Vulnerabilities, Shares Plans For Making Platform Safer

The developers of Docker last week released new versions of the product to address several security issues, and they shared some information on the steps taken by the company to make the solution more secure.

The developers of Docker last week released new versions of the product to address several security issues, and they shared some information on the steps taken by the company to make the solution more secure.

In November, Docker released version 1.3.2 of the open platform utilized by developers and system admins to build, ship, and run distributed applications. Shortly after the release of Docker 1.3.2, researchers uncovered other vulnerabilities that can be exploited through a malicious Dockerfile, image, or registry to compromise a host, or to spoof official images.

The flaws have been addressed with the release of Docker 1.3.3. The fixes for the security holes are also included in Docker 1.4.0, in which new features have been added and a total of 180 commits for fixes have been merged.

Two of the three vulnerabilities fixed in the latest versions have been discovered by Estonia-based developer Tõnis Tiigi. One of the bugs, which can be exploited for privilege escalation, has been described as a path traversal issue in the processing of absolute symlinks (CVE-2014-9356).

“In checking symlinks for traversals, only relative links were considered. This allowed path traversals to exist where they should have otherwise been prevented. This was exploitable via both archive extraction and through volume mounts,” Docker said in an advisory. “This vulnerability allowed malicious images or builds from malicious Dockerfiles to write files to the host system and escape containerization, leading to privilege escalation.”

Another privilege escalation vulnerability discovered by Tiigi occurs during the decompression of LZMA archives (CVE-2014-9357). The flaw, introduced in Docker 1.3.2, allows malicious images or builds to escalate privileges and execute arbitrary code as root on the Docker host.

Docker 1.3.3 and Docker 1.4.0 also address a path traversal and spoofing issue (CVE-2014-9358) identified by Docker’s Eric Windisch.

“It has been discovered that Docker does not sufficiently validate Image IDs as provided either via ‘docker load’ or through registry communications. This allows for path traversal attacks, causing graph corruption and manipulation by malicious images, as well as repository spoofing attacks,” Docker explained in its advisory.

According to Marianna Tessel, Docker SVP of Engineering, the company is working on making enhancements to the security of the platform, and it’s doing its best to fix vulnerabilities as quickly as possible.

This summer, after a serious vulnerability was uncovered, Docker decided to call in a security firm to audit and test every major release of the product.

“Our goal is to have security fixes for the current stable release in the hands of our users absolutely as quickly as possible. Fixes, once prepared, are initially sent to an early disclosure notification list for review and for vendor preparedness in advance of public disclosure. This list includes Linux distributions and cloud providers,” Tessel said in a blog post.

Tessel says Docker appreciates the work of researchers who report security bugs in the platform. The company plans on creating a page for security advisories and a hall of fame for those who contribute to making the solution more secure. In the meantime, vulnerabilities can be reported to the organization via the email address [email protected].

The company also plans on rolling out some new features for security-focused users.

“Docker Engine takes advantage of the security mechanisms and isolation provided by the OS. This is pluggable, with support on Linux for namespaces, capabilities, and cgroups implemented through either libcontainer or lxc. In the future, we expect new execution engine plugins to offer more choice and greater granularity for our security-focused users,” Tessel said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet