Batten down the patches: New vuln found in Docker container tech
Last month's patch brought new privilege escalation flaw
More security woes plagued users of the Docker application containerization tech for Linux this week, after an earlier security patch was found to have introduced a brand-new critical vulnerability in the software.
The Docker 1.3.2 update, which was released in November to address critical bugs that could be exploited by an attacker via a malicious Docker image file, has now been supplanted by Docker 1.3.3, and all users of version 1.3.2 are urged to upgrade ASAP.
It seems that although the 1.3.2 patch introduced "chroot" sandboxing when uncompressing Docker images to close the earlier vuln, it brought with it yet another bug that could be exploited by including malicious .xz binaries in image files. The result is that an attacker can potentially execute arbitrary code with root-user privileges on affected systems.
As with the November vulnerability, the new bug was spotted by independent security researcher Tõnis Tiigi.
Such security problems have been a black eye for Docker, which is increasingly being eyed as a cleaner replacement for virtualization technology, particularly on cloud-hosted servers.
Earlier this month, Alex Polvi, CEO of CoreOS, which markets an eponymous Linux distribution for massive-scale server deployments, slammed Docker's security model as being "broken," adding that its daemon-driven design is "fundamentally flawed." CoreOS is now working on a simpler Docker alternative called Rocket.
For its part, Docker says it considers security to be "of paramount importance." Bug fixes, rather than new features, were the primary focus of version 1.4.0 of the software, which was released on Thursday simultaneous with version 1.3.3 and includes more than 180 fixes.
In a blog post, Docker senior engineering veep Marianna Tessel said, "In the future, we expect new execution engine plugins to offer more choice and greater granularity for our security-focused users."
She added that Docker introduced signed images into its repositories with version 1.3 and that it has proposed a trust system to help customers ensure that the images they are downloading are legit.
"As we grow, we will continue our investment in our security team, contributions, tooling and processes," Tessel said. "This investment will make Docker safer, helping it become a secure and trusted partner for our users." ®