RHEL 7 : docker (RHSA-2016:1034)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

An update for docker is now available for Red Hat Enterprise Linux 7
Extras.

Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Docker is an open source engine that automates the deployment of any
application as a lightweight, portable, self-sufficient container that
will run virtually anywhere.

Security Fix(es) :

* It was found that Docker would launch containers under the specified
UID instead of a username. An attacker able to launch a container
could use this flaw to escalate their privileges to root within the
launched container. (CVE-2016-3697)

This issue was discovered by Mrunal Patel (Red Hat).

Bug Fix(es) :

* The process of pulling an image spawns a new 'goroutine' for each
layer in the image manifest. If any of these downloads, everything
stops and an error is returned, even though other goroutines would
still be running and writing output through a progress reader which is
attached to an http response writer. Since the request handler had
already returned from the first error, the http server panics when one
of these download goroutines makes a write to the response writer
buffer. This bug has been fixed, and docker no longer panics when
pulling an image. (BZ#1264562)

* Previously, in certain situations, a container rootfs remained busy
during container removal. This typically happened if a container mount
point leaked into another mount namespace. As a consequence, container
removal failed. To fix this bug, a new docker daemon option
'dm.use_deferred_deletion' has been provided. If set to true, this
option will defer the container rootfs deletion. The user will see
success on container removal but the actual thin device backing the
rootfs will be deleted later when it is not busy anymore. (BZ#1190492)

* Previously, the Docker unit file had the 'Restart' option set to
'on-failure'. Consequently, the docker daemon was forced to restart
even in cases where it couldn't be started because of configuration or
other issues and this situation forced unnecessary restarts of the
docker-storage-setup service in a loop. This also caused real error
messages to be lost due to so many restarts. To fix this bug,
'Restart=on-failure' has been replaced with 'Restart=on-abnormal' in
the docker unit file. As a result, the docker daemon will not
automatically restart if it fails with an unclean exit code.
(BZ#1319783)

* Previously, the request body was incorrectly read twice by the
docker daemon and consequently, an EOF error was returned. To fix this
bug, the code which incorrectly read the request body the first time
has been removed. As a result, the EOF error is no longer returned and
the body is correctly read when really needed. (BZ#1329743)

Enhancement(s) :

* The /usr/bin/docker script now calls /usr/bin/docker-current or
/usr/bin/docker-latest based on the value of the sysconfig variable
DOCKERBINARY present in /etc/sysconfig/docker. /usr/bin/docker and
/etc/sysconfig/docker provided by the docker-common package allow the
admin to configure which docker client binary gets called.
/usr/bin/docker will call /usr/bin/docker-latest by default when
docker is not installed. If docker is installed, /usr/bin/docker will
call /usr/bin/docker-current by default, unless DOCKERBINARY is set to
/usr/bin/docker-latest in /etc/sysconfig/docker. This way, you can use
docker-latest or docker without the need to check which version of the
daemon is currently running. (BZ#1328219)

See also :

https://www.redhat.com/security/data/cve/CVE-2016-3697.html
http://rhn.redhat.com/errata/RHSA-2016-1034.html

Solution :

Update the affected packages.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 2.0
(CVSS2#E:F/RL:U/RC:ND)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 91115 ()

Bugtraq ID:

CVE ID: CVE-2016-3697

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now