Nathan McCauley

Security Release: Docker 1.8.3 and 1.6.2-CS7

As part of our ongoing security efforts, a vulnerability was discovered that affects the way content is stored and retrieved within the Docker Engine. Today we are releasing a security update that addresses this issue in accordance with our coordinated responsible disclosure policy.

The new versions and upgrade instructions can be found here for open source users and here for commercially supported customers.


 

Overview

At push time, Docker’s layer IDs are currently randomly generated and assigned.  An image intentionally created to have colliding layer IDs can override a subsequently pulled layer’s ID causing different content to run than intended. This vulnerability can only affect Docker Engine hosts where the user has been convinced into pulling a maliciously crafted image. The upgrade to Docker ensures that the content on disk matches the content of the layer being pulled, or a new non-colliding ID will be generated and assigned (a change only to the metadata).

In order to ensure user safety, we conducted a thorough audit of every image on Docker Hub, and found no evidence of malicious uses of conflicting layer IDs. We have also had no reports of exploits of this vulnerability. Nevertheless, we strongly recommend that users update to the new versions of Docker Engine.


 

Upgrade Instructions

We recommend that users upgrade to the latest version of Docker Engine. If you are unable to upgrade right away, only pull content from trusted sources.  Additionally you can follow Docker security best practices (which includes only pulling from trusted sources) and audit your host configurations using Docker Bench.

Upgrade instructions and software downloads are available here:

Docker 1.8.3 open source

Docker 1.6.2-CS7 for commercial customers

You can expect our team to continue improving the security of Docker by not only shipping features such as Docker Content Trust and tools like Docker Bench, but also by continuing to be proactive in finding security vulnerabilities in our products.

To keep up to date on all the latest Docker Security news, make sure you check out our Security page, subscribe to our mailing list, or find us in #docker-security.


 

 Learn More about Docker

• New to Docker? Try our 10 min online tutorial
• Sign up for a free 30 day trial of Docker
• Share images, automate builds, and more with a free Docker Hub account
• Read the Docker 1.8 Release Notes
• Subscribe to Docker Weekly
• Register for upcoming Docker Online Meetups
• Attend upcoming Docker Meetups
• Register for DockerCon Europe 2015
• Start contributing to Docker

 

, ,

Nathan McCauley

Security Release: Docker 1.8.3 and 1.6.2-CS7


One Response to “Security Release: Docker 1.8.3 and 1.6.2-CS7”

  1. Falha de segurança, atualize seu Docker para 1.8.3 - Peguei do

    […] foi encontrada uma vulnerabilidade de segurança no Docker, que permite modificação de conteúdo nas imagens locais do Docker […]

Comments are closed.

Get the Latest Docker News by Email

Docker Weekly is a newsletter with the latest content on Docker and the agenda for the upcoming weeks.