openSUSE-SU-2020:0846

http://www.openwall.com/lists/oss-security/2020/06/01/5

https://docs.docker.com/engine/release-notes/

https://github.com/docker/docker-ce/releases/tag/v19.03.11

FEDORA-2020-5ba8c2d9d5

FEDORA-2020-6d7deafd81

GLSA-202008-15

https://security.netapp.com/advisory/ntap-20200717-0002/

DSA-4716

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has docker-ce packages installed that are affected by multiple vulnerabilities:

  - Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0,     17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a     Denial of Service via a crafted image layer payload, aka gzip bombing. (CVE-2017-14992)

  - The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block     /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are     used) by leveraging Docker container access to write a scsi remove-single-device line to     /proc/scsi/scsi, aka SCSI MICDROP. (CVE-2017-16539)

  - libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than     ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall     arguments could bypass intended access restrictions by specifying a single matching argument.
    (CVE-2017-18367)

  - The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block     /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling     bluetooth or turning up/down keyboard brightness. (CVE-2018-10892)

  - In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a     symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host     filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen     filesystem (or from within a chroot). (CVE-2018-15664)

  - Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via     a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go,     pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. (CVE-2018-20699)

  - In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the     docker build command would be able to gain command execution. An issue exists in the way docker build     processes remote git URLs, and results in command injection into the underlying git clone command,     leading to code execution in the context of the user executing the docker build command. This occurs     because git ref can be misinterpreted as a flag. (CVE-2019-13139)

  - In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before     18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a     scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It     potentially applies to other API users of the stack API if they resend the secret. (CVE-2019-13509)

  - runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite     the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a     command as root within one of these types of containers: (1) a new container with an attacker-controlled     image, or (2) an existing container, to which the attacker previously had write access, that can be     attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
    (CVE-2019-5736)

  - An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW     capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain     sensitive information, or cause a denial of service. (CVE-2020-13401)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has docker-ce packages installed that are affected by multiple vulnerabilities:

  - Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0,     17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a     Denial of Service via a crafted image layer payload, aka gzip bombing. (CVE-2017-14992)

  - The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block     /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are     used) by leveraging Docker container access to write a scsi remove-single-device line to     /proc/scsi/scsi, aka SCSI MICDROP. (CVE-2017-16539)

  - libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than     ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall     arguments could bypass intended access restrictions by specifying a single matching argument.
    (CVE-2017-18367)

  - The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block     /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling     bluetooth or turning up/down keyboard brightness. (CVE-2018-10892)

  - In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a     symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host     filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen     filesystem (or from within a chroot). (CVE-2018-15664)

  - Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via     a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go,     pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. (CVE-2018-20699)

  - In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the     docker build command would be able to gain command execution. An issue exists in the way docker build     processes remote git URLs, and results in command injection into the underlying git clone command,     leading to code execution in the context of the user executing the docker build command. This occurs     because git ref can be misinterpreted as a flag. (CVE-2019-13139)

  - In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before     18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a     scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It     potentially applies to other API users of the stack API if they resend the secret. (CVE-2019-13509)

  - runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite     the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a     command as root within one of these types of containers: (1) a new container with an attacker-controlled     image, or (2) an existing container, to which the attacker previously had write access, that can be     attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
    (CVE-2019-5736)

  - An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW     capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain     sensitive information, or cause a denial of service. (CVE-2020-13401)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202008-15 (Docker: Information disclosure)

    It was found that Docker created network bridges which by default accept       IPv6 router advertisements.
  Impact :

    An attacker who gained access to a container with CAP_NET_RAW capability       may be able to to spoof router advertisements, resulting in information       disclosure or denial of service.
  Workaround :

    There is no known workaround at this time.

According to the version of the docker-engine packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - An issue was discovered in Docker Engine before     19.03.11. An attacker in a container, with the     CAP_NET_RAW capability, can craft IPv6 router     advertisements, and consequently spoof external IPv6     hosts, obtain sensitive information, or cause a denial     of service.(CVE-2020-13401)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues :

Docker was updated to 19.03.11-ce runc was updated to version 1.0.0-rc10 containerd was updated to version 1.2.13

  - CVE-2020-13401: Fixed an issue where an attacker with     CAP_NET_RAW capability, could have crafted IPv6 router     advertisements, and spoof external IPv6 hosts, resulting     in obtaining sensitive information or causing denial of     service (bsc#1172377).

This update was imported from the SUSE:SLE-15:Update update project.

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues :

Docker was updated to 19.03.11-ce runc was updated to version 1.0.0-rc10 containerd was updated to version 1.2.13

CVE-2020-13401: Fixed an issue where an attacker with CAP_NET_RAW capability, could have crafted IPv6 router advertisements, and spoof external IPv6 hosts, resulting in obtaining sensitive information or causing denial of service (bsc#1172377).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Etienne Champetier discovered that Docker, a Linux container runtime, created network bridges which by default accept IPv6 router advertisements. This could allow an attacker with the CAP_NET_RAW capability in a container to spoof router advertisements, resulting in information disclosure or denial of service.

Description of changes:

docker-cli [19.03.11-4]
- added patch for registry list

[19.03.11-3]
- update to 19.03.11 for CVE-2020-13401

[19.03.1-1.0.0]
- update to 19.03.1

[19.03-0.0.1]
- update to 19.03

[18.09.1-1.0.6]
- disable kmem accounting for UEKR4

[18.09.1-1.0.5]
- apply e4931e664feac6fa8846f3f04268a0cc98822549, fixes CVE-2019-5736

[18.09.1-1.0.4]
- fix authentication error when using docker hub and using 
--default-registry

[18.09.1-1.0.3]
- fix authentication errors when using docker hub

[18.09-1.0.0]
- rename to docker-cli

[18.09-0.0.1]
- merge docker-engine.spec changes by Oracle into docker-ce-cli.spec from upstream 18.09 branch

docker-engine [19.03.11-4]
- added patch for registry list

[19.03.11-3]
- update to 19.03.11 for CVE-2020-13401

[19.03.1-1.0.0]
- update to 19.03.1

[19.03-0.0.1]
- update to 19.03

[18.09.1-1.0.6]
- disable kmem accounting for UEKR4

[18.09.1-1.0.5]
- apply e4931e664feac6fa8846f3f04268a0cc98822549, fixes CVE-2019-5736

[18.09.1-1.0.4]
- fix authentication error when using docker hub and using 
--default-registry

[18.09.1-1.0.3]
- fix authentication errors when using docker hub

[18.09.1-1.0.2]
- use epoch in container-selinux dependency

[18.09.1-1.0.1]
- fix 'docker cp doesn't work for btrfs' (OLM-158)
- update build to Go 1.10.8

[18.09.1-1.0.0]
- update to 18.09.1

[18.09-1.0.0]
- rename back to docker-engine, rename dockerd-ce to dockerd and stop using alternatives

[18.09-0.0.1]
- merge docker-engine.spec changes by Oracle into docker-ce.spec from upstream 18.09 branch

[18.03.1.ol-0.0.7]
- fix [orabug 28452214] and [orabug 28461404]

[18.03.1.ol-0.0.6]
- obsolete/provide the docker package [orabug 28216396]
- Fix docker plugin reference resolution [orabug 28376247]

[18.03.1.ol-1.0.4]
- Fixed issue where RPM overwrites config files

[17.12.0.ol-1.0.1]
- Update docker-engine package for upstream 17.12.0

[17.09.1.ol-1.0.2]
- Update docker-engine package for upstream 17.09.1

[17.06.2.ol-1.0.1]
- Update docker-engine package for upstream 17.06.2 [orabug 26673768]
- Migrate to new 'ol'-based versioning
- add docker-storage-config utility

[17.03.1-ce-3.0.1]
- Update docker-engine package for upstream 17.03.1
- Enable configuration of Docker daemon via sysconfig [orabug 21804877]
- Require UEK4 for docker 1.9 [orabug 22235639 22235645]
- Add docker.conf for prelink [orabug 25147708]
- Update oracle linux selinux policy to match upstream [orabug 25653794]
- Use dockerd instead of docker daemon as it is deprecated [orabug 25653794]

Update to upstream 19.03.11 to prevent CVE-2020-13401

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service.(CVE-2020-13401)

ID	Name	Product	Family	Severity
154519	NewStart CGSL CORE 5.05 / MAIN 5.05 : docker-ce Multiple Vulnerabilities (NS-SA-2021-0138)	Nessus	NewStart CGSL Local Security Checks	high
143962	NewStart CGSL CORE 5.04 / MAIN 5.04 : docker-ce Multiple Vulnerabilities (NS-SA-2020-0082)	Nessus	NewStart CGSL Local Security Checks	high
139891	GLSA-202008-15 : Docker: Information disclosure	Nessus	Gentoo Local Security Checks	medium
139128	EulerOS 2.0 SP8 : docker-engine (EulerOS-SA-2020-1798)	Nessus	Huawei Local Security Checks	medium
138694	openSUSE Security Update : containerd / docker / docker-runc / etc (openSUSE-2020-846)	Nessus	SuSE Local Security Checks	medium
138543	SUSE SLES15 Security Update : containerd, docker, docker-runc, golang-github-docker-libnetwork (SUSE-SU-2020:1657-2)	Nessus	SuSE Local Security Checks	medium
138267	SUSE SLES15 Security Update : containerd, docker, docker-runc, golang-github-docker-libnetwork (SUSE-SU-2020:1657-1)	Nessus	SuSE Local Security Checks	medium
138105	Debian DSA-4716-1 : docker.io - security update	Nessus	Debian Local Security Checks	medium
137821	Oracle Linux 7 : docker-cli / docker-engine (ELSA-2020-5739)	Nessus	Oracle Linux Local Security Checks	high
137682	Fedora 32 : moby-engine (2020-6d7deafd81)	Nessus	Fedora Local Security Checks	medium
137681	Fedora 31 : moby-engine (2020-5ba8c2d9d5)	Nessus	Fedora Local Security Checks	medium
137099	Amazon Linux AMI : docker (ALAS-2020-1376)	Nessus	Amazon Linux Local Security Checks	critical

CVE-2020-13401

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

medium

medium

medium

medium

medium

medium

high

medium

medium

critical