July 24, 2024 at 03:05PM
Docker has issued security updates to address a critical vulnerability in certain versions of Docker Engine, which could allow attackers to bypass authorization plugins under specific conditions. The flaw, identified as CVE-2024-41110, affects several versions of Docker Engine, and patched versions up to v27.1.0 are advised for impacted users. Additionally, measures to mitigate the risk are recommended for certain scenarios.
From the meeting notes, the key takeaways are:
– Docker has issued security updates to address a critical vulnerability that impacts certain versions of Docker Engine. This vulnerability could allow an attacker to bypass authorization plugins (AuthZ) under certain circumstances.
– The fix for the vulnerability was initially released in Docker Engine v18.09.1 in January 2019, but the fix was not carried forward in later versions, leading to the flaw resurfacing.
– The dangerous regression was only identified in April 2024, and patches have now been released for all supported Docker Engine versions.
– The flaw is tracked under CVE-2024-41110 and has a critical severity (CVSS score: 10.0). It allows an attacker to send a specially crafted API request with a Content-Length of 0 to trick the Docker daemon into forwarding it to the AuthZ plugin, potentially resulting in unauthorized access and privilege escalation.
– The vulnerability affects certain versions of Docker Engine for users who use authorization plugins for access control. Users who don’t rely on plugins for authorization, users of Mirantis Container Runtime, and users of Docker commercial products are not impacted.
– Impacted users are advised to move to patched versions as soon as possible, including v23.0.14 and v27.1.0. Additionally, users who cannot move to a safe version are advised to disable AuthZ plugins and restrict access to the Docker API only to trusted users.
– It is also noted that Docker Desktop’s latest version, 4.32.0, includes a vulnerable Docker Engine, but the impact is limited as exploitation requires access to the Docker API, and any privilege escalation action would be limited to the VM. The upcoming Docker Desktop v4.33.0 will resolve the problem, but it has not been released yet.
Let me know if there is anything specific you need assistance with or if there are further details required from the meeting notes.