docker-1.13.1-162.git64e9980.0.1.el7.AXS7
エラータID: AXSA:2020-208:04
リリース日:
2020/07/07 Tuesday - 09:52
題名:
docker-1.13.1-162.git64e9980.0.1.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Dockerには、ケーパビリティ ポリシーの誤った設定により、悪意ある
イメージが権限をバイパスしてコンテナ内のファイルシステムやマウント
されたボリュームにアクセスすることを許してしまう脆弱性があります。
(CVE-2016-8867)
- RunCには、'runc exec' により追加的に起動されたコンテナのプロセスを ptrace
できるようにすることにより、コンテンのメインプロセスが root として動作しているとき、
新しいプロセスの初期化中に、そのプロセスのファイルディスクリプタにアクセスし、
コンテナ脱出や runC ステートの変更をコンテナ内から許してしまう脆弱性があります。
(CVE-2016-9962)
- docker で使用されている runc には、攻撃者がホストの runc のバイナリを上書きし、
ホストの root でアクセスできる権限を得る脆弱性があります。(CVE-2019-5736)
- docker には以前修正された CVE-2019-5736 の修正が含まれていない runc の
バージョンを含んでおり、悪意のある、あるいは危険な状態にあるコンテナがコンテナのホストと
同一ホスト上で実行されている他のコンテナを危険にさらす脆弱性があります。(CVE-2020-14298)
- docker には以前修正された CVE-2016-9962 の修正が含まれていない runc の
バージョンを含んでおり、悪意のある、あるいは危険な状態にあるコンテナがコンテナのホストと
同一ホスト上で実行されている他のコンテナを危険にさらす脆弱性があります。(CVE-2020-14300)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2016-8867
Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes.
Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes.
CVE-2016-9962
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
RunC allowed additional container processes via 'runc exec' to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization and can lead to container escapes or modification of runC state before the process is fully placed inside the container.
CVE-2019-5736
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
CVE-2020-14298
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2020-14300
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
追加情報:
N/A
ダウンロード:
SRPMS
- docker-1.13.1-162.git64e9980.0.1.el7.AXS7.src.rpm
MD5: a69e55d85331de07bc49631fd1fc7c97
SHA-256: d21db776eba0c20a5b92e7102987754c693ae4aa5536f6405333d704ff48d07c
Size: 15.05 MB
Asianux Server 7 for x86_64
- docker-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: 0f4c9fe1eeefba7ce7d6ad8574c9d4f1
SHA-256: 2a919dddfc158979c4d68c1ab4e31d0b607c23b6ffbe3729041dee101f5b2b92
Size: 17.67 MB - docker-client-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: ac91b5e62abb332c46a197f7b1ab2a27
SHA-256: d7ce86006034d76d345f73cbd8e80185e1f93f5db6429dc36806e0eb4c87de58
Size: 3.90 MB - docker-common-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: 18d2a47922ab6d5fc5fb7a1c0c3af802
SHA-256: 22415613dd222b0255938a305c5f0aae82e38fdc930ceceb88c542a87fa57082
Size: 98.48 kB - docker-logrotate-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: bfce761458aa6ad86f3d5e97b5dfacfe
SHA-256: 51832b6b5f57e8fee39c4cb72e5f4efe0221871e3985dfd530521b3702aac1c8
Size: 96.46 kB - docker-lvm-plugin-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: df006b4dcb22a5f783f82eaa80ca023e
SHA-256: be19ccd2254c59b140b1e08bdfbdf1e2e8d4ec95b00eea8e15a657946aff3bd0
Size: 1.87 MB - docker-novolume-plugin-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: 7c5e11a10260768b0d67372579077f44
SHA-256: d92e677196f6a5d9bec5eeed732f81d9181010922e033488e77768bc47e37f1f
Size: 1.89 MB - docker-v1.10-migrator-1.13.1-162.git64e9980.0.1.el7.AXS7.x86_64.rpm
MD5: 05ab7da49db10d6eddf719eb85465f47
SHA-256: 3e6417fd28c739e3e9342cad3a31a41ae07dc59b7beceef77d05b2bb15fefee9
Size: 2.68 MB
English