Two Lessons Learned from the Latest Docker Vulnerability


AllCloud Blog:
Cloud Insights and Innovation

A new Docker vulnerability was announced by Docker and SUSE on January 10th, 2017. CVE-2016-9962is described by Docker as follows:

RunC allowed additional container processes via `runc exec` to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.

 

As for mitigation, Docker Engine version 1.12.6 addresses the issue, depending on the distribution you use, you may need to update your RunC package as well.

This issue may not have a catchy name and it’s certainly not the kind of issue that will raise much media attention. Nonetheless, I do believe there are 2 lessons to be learned here.

  • Don’t disable SElinux (or any other Linux Security Module)

LSM are your last line of defense, many times protecting you from unknown 0-days similar to the vulnerability above.

Don’t miss the great blog post by Dan Walsh showing exactly how an attack may happen and how SElinux mitigates the attack.

  • Automate software updates and patching

Every piece of software we run may contain the next 0-day. Once the 0-day is published the hard work of discovering the attack is over and any person with the right skills can exploit it. But how could you possibly manage manually patching all your servers?

This is one of the main reasons why choosing continuous deployment should be a no brainier. Read the following blog post by Michael Chletsos about security patching Assembla’s production environment within one hour.

Be in touch with us if you need any help with upgrading your security or automating your updates.

Lahav Savir

Founder and CTO, Cloud Platforms

Read more posts by Lahav Savir