Docker Security Flaw Found - InformationWeek
IoT
IoT
Cloud // Infrastructure as a Service
News
11/26/2014
10:41 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Docker Security Flaw Found

Docker advises users to upgrade their container formatting system immediately to patch security hole in non-current versions.

Tech Hygiene: 10 Bad Habits To Break
Tech Hygiene: 10 Bad Habits To Break
(Click image for larger view and slideshow.)

The Docker Linux container format has a major exposure that could allow malicious code to assume unassigned privileges with the host server and order the extraction of files that are not intended to be accessible to the container's code.

Several generations of the Docker container formatting system are subject to the vulnerability; only the latest version, Docker 1.3.2, is exempt. There's no way to patch the thousands of copies of Docker with release numbers before the 1.3.2 release, according to company representatives -- the only safeguard is to upgrade to the recent release.

The 1.3.2 release can be downloaded here.

The exposure was discovered by security researcher Florian Weimer at Red Hat and confirmed by independent security researcher Tonis Tiigi. Red Hat is deeply committed to Linux users' adoption of Docker and produced Atomic Host, a version of Red Hat Enterprise Linux geared to run containers.

Docker's Erich Windisch issued a security advisory on Nov. 24 about the defect: "The Docker engine, up to and including version 1.3.1, was vulnerable to extracting files to arbitrary paths on the host during 'docker pull' and 'docker load' operations ... This vulnerability could be leveraged to perform remote code execution and privilege escalation." Windisch added that no remediation is available for older versions of Docker.

[Want to learn more about how containers have become important to the Amazon cloud? See Amazon's Container Strategy Examined.]

"While it is in no way an indictment of the Docker project, it does show that early-stage projects are just that -- early and still a little rough around the edges," wrote Ben Kepes, a New Zealand-based consultant on cloud computing at Diversity Ltd. on his Forbes.com blog. He added that news of the exposure is "a cautionary tale for organizations experimenting with early-stage projects."

Docker security has long been a concern for those familiar with the intricacies of running dozens of containers together on a single host. Containers are an effective way to isolate one application from another on a shared host, provided no container contains code that actively tries to trespass across container boundaries. The exposure found in versions of Docker up to 1.3.1 allowed that to happen.

Despite developer enthusiasm for its formatting system, Docker has warned that protections against malware from one container to the next can't be guaranteed and recommended that only containers from a single owner should be run on the same host. VMware representatives, including CTO Ben Fathi, reiterated that warning at VMworld in August, stating again that only containers running inside a virtual machine on a shared host should be considered secure.

The release of 1.3.2 code fixed a second but lesser security hole as well, Windisch's post indicates.

There has been a background debate over whether multiple workloads can run safely on a single host in containers or whether enterprise IT stick should with virtual machines. Containers represent a significant advance in efficiency for multiple workloads because they use a single host's operating system kernel.

A virtual machine is more self-contained. It includes its own operating system but requires more system memory and compute cycles.

For now, virtual machines are winning the security debate on multi-tenant hosts. But developers and IT managers are watching Docker to see if container security improves. Managers at the Joyent cloud say their containers running under the SmartOS version of Solaris create a secure form of multi-tenant container operation. Where dozens of virtual machines can be put on a single host, hundreds of containers can be run on the same server resources.

Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it? Get the Malware Mutation issue of Dark Reading today.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
11/26/2014 | 4:15:19 PM
Docker CEO comments on Docker security process
Docker CEO Ben Golub said in an interview that time lapse between the discovery of the exposure and its fix was about a week and a half. Interested parties were notified a new release was coming a few days before it was available so they could install it as quickly as possibly. Then the exposure was made public. There have been no known exploits using it in the wild so far, he said.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll