openSUSE-SU-2019:2021

RHBA-2018:2796

RHSA-2018:2482

RHSA-2018:2729

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10892

https://github.com/moby/moby/pull/37404

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has docker-ce packages installed that are affected by multiple vulnerabilities:

  - Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0,     17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a     Denial of Service via a crafted image layer payload, aka gzip bombing. (CVE-2017-14992)

  - The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block     /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are     used) by leveraging Docker container access to write a scsi remove-single-device line to     /proc/scsi/scsi, aka SCSI MICDROP. (CVE-2017-16539)

  - libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than     ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall     arguments could bypass intended access restrictions by specifying a single matching argument.
    (CVE-2017-18367)

  - The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block     /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling     bluetooth or turning up/down keyboard brightness. (CVE-2018-10892)

  - In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a     symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host     filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen     filesystem (or from within a chroot). (CVE-2018-15664)

  - Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via     a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go,     pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. (CVE-2018-20699)

  - In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the     docker build command would be able to gain command execution. An issue exists in the way docker build     processes remote git URLs, and results in command injection into the underlying git clone command,     leading to code execution in the context of the user executing the docker build command. This occurs     because git ref can be misinterpreted as a flag. (CVE-2019-13139)

  - In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before     18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a     scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It     potentially applies to other API users of the stack API if they resend the secret. (CVE-2019-13509)

  - runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite     the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a     command as root within one of these types of containers: (1) a new container with an attacker-controlled     image, or (2) an existing container, to which the attacker previously had write access, that can be     attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
    (CVE-2019-5736)

  - An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW     capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain     sensitive information, or cause a denial of service. (CVE-2020-13401)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues :

Docker :

  - CVE-2019-14271: Fixed a code injection if the nsswitch     facility dynamically loaded a library inside a chroot     (bsc#1143409).

  - CVE-2019-13509: Fixed an information leak in the debug     log (bsc#1142160).

  - Update to version 19.03.1-ce, see changelog at     /usr/share/doc/packages/docker/CHANGELOG.md     (bsc#1142413, bsc#1139649).

runc :

  - Use %config(noreplace) for /etc/docker/daemon.json     (bsc#1138920).

  - Update to runc 425e105d5a03, which is required by Docker     (bsc#1139649).

containerd :

  - CVE-2019-5736: Fixed a container breakout vulnerability     (bsc#1121967).

  - Update to containerd v1.2.6, which is required by docker     (bsc#1139649).

golang-github-docker-libnetwork :

  - Update to version     git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is     required by docker (bsc#1142413, bsc#1139649).

This update was imported from the SUSE:SLE-15:Update update project.

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues :

Docker :

CVE-2019-14271: Fixed a code injection if the nsswitch facility dynamically loaded a library inside a chroot (bsc#1143409).

CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160).

Update to version 19.03.1-ce, see changelog at /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413, bsc#1139649).

runc: Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920).

Update to runc 425e105d5a03, which is required by Docker (bsc#1139649).

containerd: CVE-2019-5736: Fixed a container breakout vulnerability (bsc#1121967).

Update to containerd v1.2.6, which is required by docker (bsc#1139649).

golang-github-docker-libnetwork: Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by docker (bsc#1142413, bsc#1139649).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Resolves: #1666565, #1667625 - CVE-2018-20699

  - Resolves: #1663068, #1667626 - umount all procfs and     sysfs with --no-pivot

  - built docker @projectatomic/docker-1.13.1 commit 1185cfd

  - built docker-runc @projectatomic/docker-1.13.1 commit     e4ffe43

----

Resolves: #1598581, #1598582 - CVE-2018-10892

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Resolves: #1598581, #1598583 - CVE-2018-10892

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Latest release

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to latest version.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The default OCI Linux spec in oci/defaults{_linux}.go in Docker/Moby, from 1.11 to current, does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling Bluetooth or turning up/down keyboard brightness.(CVE-2018-10892)

An update for docker is now available for Red Hat Enterprise Linux 7 Extras.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Docker is an open source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere.

Security Fix(es) :

* docker: container breakout without selinux in enforcing mode (CVE-2018-10892)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

This issue was discovered by Antonio Murdaca (Red Hat).

Bug Fix(es) :

* Previously, the `dontaudit` and `allow` SELinux rules were missing, so the kernel raised a SELinux AVC message. Consequently, some commands did not work as expected. This update adds the missing rules, and the commands now run successfully. (BZ#1550967)

* Previously, during a restart the container daemon did not restore the state of a container correctly if an exec'ed process was associated with the container. Consequently, the container daemon aborted with 'panic: close of nil channel' when the daemon was handling the termination of the exec'ed process. This bug has been fixed, and the container daemon no longer panics in the aforementioned scenario. (BZ#1554121)

* Previously, bind mounts were resolved before using them inside a container. Consequently, symlinks could not be mounted inside of the container. With this update, the source of a bind mount is not resolved. As a result, it is possible to bind mount symlinks again into a container. (BZ#1603201)

ID	Name	Product	Family	Severity
143962	NewStart CGSL CORE 5.04 / MAIN 5.04 : docker-ce Multiple Vulnerabilities (NS-SA-2020-0082)	Nessus	NewStart CGSL Local Security Checks	high
128409	openSUSE Security Update : containerd / docker / docker-runc / etc (openSUSE-2019-2021)	Nessus	SuSE Local Security Checks	high
127884	SUSE SLED15 / SLES15 Security Update : containerd, docker, docker-runc, golang-github-docker-libnetwork (SUSE-SU-2019:2117-1)	Nessus	SuSE Local Security Checks	high
121488	Fedora 28 : 2:docker-latest (2019-723711c645)	Nessus	Fedora Local Security Checks	medium
120633	Fedora 28 : 2:docker (2018-9695e9b0ed)	Nessus	Fedora Local Security Checks	medium
120472	Fedora 28 : podman (2018-6243646704)	Nessus	Fedora Local Security Checks	medium
120308	Fedora 28 : 2:cri-o (2018-28f30efaf6)	Nessus	Fedora Local Security Checks	medium
117343	Amazon Linux AMI : docker (ALAS-2018-1071)	Nessus	Amazon Linux Local Security Checks	medium
111805	RHEL 7 : docker (RHSA-2018:2482)	Nessus	Red Hat Local Security Checks	medium

CVE-2018-10892

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins

high

high

high

medium

medium

medium

medium

medium

medium