docker-1.13.1-162.git64e9980.0.1.el7.AXS7
エラータID: AXSA:2020-208:04
Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere.
Security Fix(es):
* docker: Ambient capability usage in containers (CVE-2016-8867)
* docker: Security regression of CVE-2019-5736 due to inclusion of vulnerable runc (CVE-2020-14298)
* docker: Security regression of CVE-2016-9962 due to inclusion of vulnerable runc (CVE-2020-14300)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
CVE-2016-8867
Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes.
CVE-2016-9962
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
CVE-2019-5736
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
CVE-2020-14298
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2020-14300
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Update packages.
Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes.
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
N/A
SRPMS
- docker-1.13.1-162.git64e9980.0.1.el7.AXS7.src.rpm
MD5: a69e55d85331de07bc49631fd1fc7c97
SHA-256: d21db776eba0c20a5b92e7102987754c693ae4aa5536f6405333d704ff48d07c
Size: 15.05 MB
Asianux Server 7 for x86_64
- docker-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: 0f4c9fe1eeefba7ce7d6ad8574c9d4f1
SHA-256: 2a919dddfc158979c4d68c1ab4e31d0b607c23b6ffbe3729041dee101f5b2b92
Size: 17.67 MB - docker-client-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: ac91b5e62abb332c46a197f7b1ab2a27
SHA-256: d7ce86006034d76d345f73cbd8e80185e1f93f5db6429dc36806e0eb4c87de58
Size: 3.90 MB - docker-common-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: 18d2a47922ab6d5fc5fb7a1c0c3af802
SHA-256: 22415613dd222b0255938a305c5f0aae82e38fdc930ceceb88c542a87fa57082
Size: 98.48 kB - docker-logrotate-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: bfce761458aa6ad86f3d5e97b5dfacfe
SHA-256: 51832b6b5f57e8fee39c4cb72e5f4efe0221871e3985dfd530521b3702aac1c8
Size: 96.46 kB - docker-lvm-plugin-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: df006b4dcb22a5f783f82eaa80ca023e
SHA-256: be19ccd2254c59b140b1e08bdfbdf1e2e8d4ec95b00eea8e15a657946aff3bd0
Size: 1.87 MB - docker-novolume-plugin-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: 7c5e11a10260768b0d67372579077f44
SHA-256: d92e677196f6a5d9bec5eeed732f81d9181010922e033488e77768bc47e37f1f
Size: 1.89 MB - docker-v1.10-migrator-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: 05ab7da49db10d6eddf719eb85465f47
SHA-256: 3e6417fd28c739e3e9342cad3a31a41ae07dc59b7beceef77d05b2bb15fefee9
Size: 2.68 MB