Docker dodges another security flaw with new patch
Docker’s container tech has been hit by more security woes, with the revelation that an earlier security patch has led to a brand new vulnerability being discovered in the software.
Docker rolled out version 1.3.2 last month in order to patch a bug that allowed rogue programs to break out of their containers and access image files on the host operating system. But this update has now been supplanted by Docker 1.3.3, and users are being urged to update as soon as possible.
Once again the new flaw was discovered by the security researcher Tõnis Tiigi. Writing in a blog post, he explained Docker 1.3.2 added a new “chroot” sandboxing feature that closed off a vulnerability that could be exploited when uncompressing Docker images. However, the new version introduced another vulnerability that attackers can exploit by including malicious .xz binaries in image files. This means attackers could potentially execute malicious code by using root-user privileges on affected systems.
Security is unfortunately beginning to become a bit of a sore point for Docker, which has risen to prominence as a simpler alternative to virtualization, especially in the cloud.
Docker has also come under attack from its new rival CoreOS, which builds a lightweight Linux distro designed with containers in mind, and recently introduced its own, alternative container technology. Alex Polvi, CEO of CoreOS, claimed that Docker’s security model was “broken”, and that its “Docker-as-a-platform” design was “fundamentally flawed”. As a result, CoreOS is now building its own container technology called Rocket.
Naturally Docker has brushed off these criticisms, insisting that security is of “paramount importance” as it rolled out two new versions of its software last week. As well as version 1.3.3, it simultaneously introduced Docker version 1.4.0, which contained more than 180 bug fixes.
“In the future, we expect new execution engine plugins to offer more choice and greater granularity for our security-focused users,” said Docker’s Marianna Tessel in a blog post.
According to Tessel, Docker 1.3.3 introduces signed images into its repositories to guard against malicious attacks. Meanwhile, she also proposed a new ‘trust system’ to help customers ensure any images they download are legitimate.
photo credit: Ingrid Taylar via photopin cc
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
