907014 – (CVE-2014-6408) VUL-0: CVE-2014-6408: docker: potential container escalation

Bug 907014 (CVE-2014-6408) - VUL-0: CVE-2014-6408: docker: potential container escalation

Summary: VUL-0: CVE-2014-6408: docker: potential container escalation

Status:	RESOLVED FIXED

Alias:	CVE-2014-6408

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/110994/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-11-25 09:10 UTC by Johannes Segitz
Modified:	2018-12-14 15:10 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2014-11-25 09:10:25 UTC

Docker versions 1.3.0 through 1.3.1 allowed security options to be applied
to images, allowing images to modify the default run profile of containers
executing these images. This vulnerability could allow a malicious image
creator to loosen the restrictions applied to a container’s processes,
potentially facilitating a break-out.

Docker 1.3.2 remedies this vulnerability. Security options applied to
images are no longer consumed by the Docker engine and will be ignored.
Users are advised to upgrade.

--

Affects SLE 12 and openSUSE 13.2. Requires using an untrusted external repo, which is a bad idea anyway.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1167506
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6408
http://seclists.org/oss-sec/2014/q4/781

Comment 1 Swamp Workflow Management 2014-11-25 23:00:35 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2014-11-27 20:47:24 UTC

accepted and merged. sorry for the dealy

Comment 3 Swamp Workflow Management 2014-12-08 16:08:09 UTC

openSUSE-SU-2014:1596-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 907012,907014
CVE References: CVE-2014-6407,CVE-2014-6408
Sources used:
openSUSE 13.2 (src):    docker-1.3.2-9.1

Comment 4 Flavio Castelli 2014-12-10 15:48:35 UTC

Why is this package still not available to our customers?

Comment 5 Johannes Segitz 2014-12-10 16:22:13 UTC

(In reply to Flavio Castelli from comment #4)
SUSE:Maintenance:119 is still in QA, I will ask them to speed this up

Comment 6 Flavio Castelli 2014-12-11 08:59:34 UTC

This package is in tech preview, so there's no need to perform QA on that.

Comment 8 Flavio Castelli 2014-12-12 16:59:16 UTC

I perform QA for the docker package. AFAIK that was part of the agreement we had to get docker into SLE12 as a technical preview.

However this is what I usually do:
  * install the docker package
  * systemctl start docker
  * docker images
  * docker pull busybox
  * docker run --rm -ti busybox /bin/sh
  * ping google.it # (that time from inside of the docker container)
  * exit # from the docker container

BTW: I just pushed a newer version of the docker package (1.4.0) to fix new security issues.

Comment 9 Swamp Workflow Management 2014-12-15 13:05:31 UTC

SUSE-SU-2014:1648-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 898901,902289,902413,907012,907014
CVE References: CVE-2014-5277,CVE-2014-5282,CVE-2014-6407,CVE-2014-6408,CVE-2014-7189
Sources used:
SUSE Linux Enterprise Server 12 (src):    docker-1.3.2-9.1, sle2docker-0.2.3-5.1

Comment 10 Marcus Meissner 2014-12-15 13:18:19 UTC

done