Banjot Chanana

Docker Security Update: CVE-2019-5736 and Container Security Best Practices

Banjot Chanana

On Monday, February 11, Docker released an update to fix a privilege escalation vulnerability (CVE-2019-5736) in runC, the Open Container Initiative (OCI) runtime specification used in Docker Engine and containerd. This vulnerability makes it possible for a malicious actor that has created a specially-crafted container image to gain administrative privileges on the host. Docker engineering worked with runC maintainers on the OCI to issue a patch for this vulnerability.

Docker recommends immediately applying the update to avoid any potential security threats. For Docker Engine-Community, this means updating to 18.09.2 or 18.06.3. For Docker Engine- Enterprise, this means updating to 18.09.2, 18.03.1-ee-6, or 17.06.2-ee-19. Read the release notes before applying the update due to specific instructions for Ubuntu and RHEL operating systems. For Docker Desktop, users should download the update for Mac or Windows.

Summary of the Docker Engine versions that address the vulnerability:

 

Docker Engine Community

Docker Engine Enterprise

18.09.2

18.09.2

18.06.3

18.03.1-ee-6

17.06.2-ee-19

To better protect the container images run by Docker Engine, here are some additional recommendations and best practices:

Use Docker Official Images

Official Images are a curated set of Docker repositories hosted on Docker Hub that are designed to:

  • Provide essential base OS repositories (for example, ubuntu, centos) that serve as the starting point for the majority of users.
  • Provide drop-in solutions for popular programming language runtimes, data stores and other services.
  • Exemplify Dockerfile best practices and provide clear documentation to serve as a reference for other Dockerfile authors. Specific to this vulnerability, running containers as a non-privileged user, as outlined in the section on USER practices within the Dockerfile can mitigate this issueEnsure that security updates are applied in a timely manner. Security updates should be applied immediately and as a result, users should rebuild and publish their images. This is particularly important as many Official Images are some of the most popular on Docker Hub.

Docker sponsors a dedicated team that is responsible for reviewing and publishing all content in the Official Images. This team works in collaboration with upstream software maintainers, security experts, and the broader Docker community to ensure the security of these images

Use Docker Certified Containrs

The Docker Enterprise container platform enables you tensure the integrity of your images. Security is not a static, one-time activity but a continuous process that follows te application across the different stages of the application pipeline. To prevent systems from being compromised, Docker Enterprise provides integrated security across the supply chain. Docker Enterprise users that follow security best practices and run trusted code based on Docker Certified images can be assured that their software images:

  • Have been tested and are supported on the Docker Enterprise container platform by verified publishers
  • Adhere to Docker’s container best practices for building dockerfiles/images
  • Pass a functional API test suite
  • Complete a vulnerability scanning assessment

Docker Certification gives users and enterprises a trusted way to run more technology in containers with support from both Docker and the publisher. Customers can quickly identify the certified content with visible badges and be confident that they were built with best practices, tested to operate smoothly on Docker Enterprise.

Leverage Docker Enterprise Features for Additional Protection

Docker Enterprise provides additional layers of protection across the software supply chain through content validation and runtime application security. This includes role-based access control (RBAC) for flexible and granular access privileges across multiple teams to determine who in the organization can run a container. Administrators can also set a policy restricting the ability for any user to run a privileged container on a cluster.

Additionally, Docker Content Trust enables cryptographic digital signing to confirm container image provenance and authenticity – in effect providing your operations team with details about the author of an application and confirming that it hasn’t been tampered with or modified in any way. With policy enforcement at runtime, Docker Enterprise ensures that only container images signed by trusted teams can run in a cluster.

For more information:

Find out how to upgrade Docker Engine – Enterprise

Learn how to upgrade Docker Engine – Community

Get more information on Docker Enterprise

Learn more about Docker Security.

Be the first to write a comment.

Leave a Reply