{"id":11883,"date":"2014-11-27T00:49:23","date_gmt":"2014-11-27T00:49:23","guid":{"rendered":"http:\/\/www.cloudcomputing-news.net\/news\/2014\/nov\/27\/docker-vulnerability-exposed-users-urged-upgrade-cloud-security\/"},"modified":"2014-11-27T00:49:23","modified_gmt":"2014-11-27T00:49:23","slug":"docker-vulnerability-exposed-users-urged-to-upgrade-for-cloud-security","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/docker-vulnerability-exposed-users-urged-to-upgrade-for-cloud-security\/","title":{"rendered":"Docker vulnerability exposed, users urged to upgrade for cloud security"},"content":{"rendered":"<p><em>Picture credit: iStockPhoto<\/em><\/p>\n<p>Docker, the Linux container for run-anywhere apps, has a major vulnerability in all but the latest version of its software which can enable malicious code to extract hosted files.<\/p>\n<p>The vuln, described as &lsquo;critical&rsquo; in severity, was first spotted by Red Hat&rsquo;s security researcher Florian Weimer and independent researcher Taunis Tiigi, with Docker <a href=\"http:\/\/www.securityfocus.com\/archive\/1\/534082\">crediting them in a security advisory.<\/a><\/p>\n<p>&ldquo;The Docker engine, up to and including version 1.3.1, was vulnerable to extracting files to arbitrary paths on the host during &lsquo;Docker pull&rsquo; and &lsquo;Docker load&rsquo; operations,&rdquo; it reads. &ldquo;This was caused by symlink and hardlink traversals present in Docker&rsquo;s image extraction.<\/p>\n<p>&ldquo;This vulnerability could be leveraged to perform remote code execution and privilege escalation,&rdquo; it added.<\/p>\n<p>The advisory document noted there was no cure for this issue, and urged users to upgrade to the latest iteration.<\/p>\n<p>This wasn&rsquo;t the only bug in the system either. An issue which affects versions 1.3.0 and 1.3.1 allows a malicious image creator to modify the default run profile of containers &ndash; yet this has been fixed with the current version.<\/p>\n<p>The problem arises when taking into account the vast majority of major cloud computing providers have partnered up with Docker in order to package sleek, secure applications on its platform. <a href=\"http:\/\/www.cloudcomputing-news.net\/news\/2014\/oct\/17\/microsoft-announces-partnership-docker-container-platforms\/\">Microsoft announced its deal in October<\/a>, with Google, Amazon Web Services and Rackspace also on board.<\/p>\n<p>It&rsquo;s easy to see why these vendors are buddying up; as Docker leverages the host&rsquo;s operating system, there are no overheads or difficulties in spinning up virtual machines when shipping an application in its container. But like a lot of nascent products that are hitting the zeitgeist, it&rsquo;s best to not get carried away on an untested system when security scare stories are just around the corner.<\/p>\n<p>Users are urged to upgrade to version 1.3.2 as soon as they can, which they can find <a href=\"http:\/\/linux.softpedia.com\/get\/System\/Software-Distribution\/Docker-dotcloud-102978.shtml\">here.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Picture credit: iStockPhoto<br \/>\nDocker, the Linux container for run-anywhere apps, has a major vulnerability in all but the latest version of its software which can enable malicious code to extract hosted files.<br \/>\nThe vuln, described as &lsquo;critical&amp;rsquo&#8230;<\/p>\n","protected":false},"author":50,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-11883","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/11883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/50"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=11883"}],"version-history":[{"count":0,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/11883\/revisions"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=11883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=11883"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=11883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}