As for mitigation, Docker Engine version 1.12.6 addresses the issue, depending on the distribution you use, you may need to update your RunC package as well.
This issue may not have a catchy name and it’s certainly not the kind of issue that will raise much media attention. Nonetheless, I do believe there are 2 lessons to be learned here.
- Don’t disable SElinux (or any other Linux Security Module)
LSM are your last line of defense, many times protecting you from unknown 0-days similar to the vulnerability above.
Don’t miss the great blog post by Dan Walsh showing exactly how an attack may happen and how SElinux mitigates the attack.
- Automate software updates and patching
Every piece of software we run may contain the next 0-day. Once the 0-day is published the hard work of discovering the attack is over and any person with the right skills can exploit it. But how could you possibly manage manually patching all your servers?
This is one of the main reasons why choosing continuous deployment should be a no brainier. Read the following blog post by Michael Chletsos about security patching Assembla’s production environment within one hour.
Be in touch with us if you need any help with upgrading your security or automating your updates.