Bug 902413 (CVE-2014-5282) - VUL-0: CVE-2014-5282: docker: Tagging image to ID can redirect images on subsequent pulls
Summary: VUL-0: CVE-2014-5282: docker: Tagging image to ID can redirect images on subs...
Status: RESOLVED FIXED
Alias: CVE-2014-5282
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Flavio Castelli
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/109509/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-23 13:39 UTC by Victor Pereira
Modified: 2016-04-27 19:02 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2014-10-23 13:39:41 UTC 
CVE-2014-5282

Affects: Docker 1.2 and lower

Description:

It has been discovered that users of the Docker Remote API and CLI could cause one image repository, upon pull, to redirect to the content of another image. This is vulnerability affects all versions of Docker up to, but excluding version 1.3.

The primary vector for an attack is by loading of untrusted images via ‘docker load’. Images downloaded from DockerHub or private registries cannot exploit this vulnerability.

It is recommended that users upgrade to Docker engine 1.3.

Users of older releases of docker are advised not to load untrusted images via ‘docker load’. Vendors supporting older releases of Docker should assure they do not allow untrusted tenants to provide images for import with ‘docker load’, or tag images to arbitrary names equal to 64-characters containing characters within the range of [0-9a-f].

Discovered by Eric Windisch of Docker, Inc.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5282
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5282.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5282
Comment 1 Swamp Workflow Management 2014-10-23 22:01:44 UTC 
bugbot adjusting priority
Comment 3 Bernhard Wiedemann 2014-10-24 09:00:31 UTC 
This is an autogenerated message for OBS integration:
This bug (902413) was mentioned in
https://build.opensuse.org/request/show/258208 13.2 / docker
Comment 5 Bernhard Wiedemann 2014-10-28 11:00:12 UTC 
This is an autogenerated message for OBS integration:
This bug (902413) was mentioned in
https://build.opensuse.org/request/show/258642 13.2 / docker.openSUSE_13.2
Comment 6 Flavio Castelli 2014-10-30 14:34:37 UTC 
Updated packages have been submitted to SLE12 and to openSUSE 13.2. An updated package is already inside of the Virtualization repository on OBS.

Closing the issue.
Comment 7 Swamp Workflow Management 2014-12-15 13:05:11 UTC 
SUSE-SU-2014:1648-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 898901,902289,902413,907012,907014
CVE References: CVE-2014-5277,CVE-2014-5282,CVE-2014-6407,CVE-2014-6408,CVE-2014-7189
Sources used:
SUSE Linux Enterprise Server 12 (src):    docker-1.3.2-9.1, sle2docker-0.2.3-5.1