oss-sec mailing list archives
Re: Docker 1.12.6 - Security Advisory
From: Trevor Jay <tjay () redhat com>
Date: Wed, 11 Jan 2017 04:28:20 +0000
A FYI for Red Hat and Fedora users: we have rated this CVE as having moderate impact to our users and are currently
testing backports of this patch for 1.12.5. More info:
https://access.redhat.com/ringwraith
https://bugzilla.redhat.com/show_bug.cgi?id=1409531
https://access.redhat.com/security/cve/CVE-2016-9962
To mitigate this even without the patch, you can remove `ptrace` from your seccomp whitelist. ACS such as SELinux (not
sure about AppArmor) will keep container processes from accessing external file descriptors. Of course, you can prevent
these kind of attacks completely (modulo kernel bugs) by never running privileged containers or giving them
CAP_SYS_PTRACE in the first place.
Great work on the flaw and patch. An extremely interesting vulnerability.
_Trevor
--
Sent from my Casio Loopy.
(Trevor Jay) Red Hat Product Security
gpg-key: https://ssl.montrose.is/chat/gpg-key
Current thread:
- Docker 1.12.6 - Security Advisory Nathan McCauley (Jan 10)
- Re: Docker 1.12.6 - Security Advisory Kurt Seifried (Jan 10)
- Re: Docker 1.12.6 - Security Advisory Andreas Stieger (Jan 11)
- Re: Docker 1.12.6 - Security Advisory Trevor Jay (Jan 11)
- Re: Docker 1.12.6 - Security Advisory Kurt Seifried (Jan 10)