July 25, 2024 at 01:57AM
Docker warns of a critical vulnerability (CVE-2024-41110) in certain versions of Docker Engine, allowing attackers to bypass authorization plugins with maximum severity. It was regressed since 2018 but resolved in versions 23.0.14 and 27.1.0. Docker Desktop up to 4.32.0 is affected, with a fix expected in the next release. Users are urged to update to mitigate potential threats.
Key takeaways from the meeting notes:
1. Docker has warned of a critical security vulnerability, tracked as CVE-2024-41110, impacting certain versions of Docker Engine. This vulnerability carries a maximum severity CVSS score of 10.0 and could allow an attacker to bypass authorization plugins under specific circumstances.
2. The vulnerability was originally discovered in 2018 and addressed in Docker Engine v18.09.1 in January 2019, but it was never carried over to subsequent versions (19.03 and later). It has now been resolved in versions 23.0.14 and 27.1.0 as of July 23, 2024.
3. Docker Desktop up to versions 4.32.0 is also affected, but the likelihood of exploitation is limited and a fix is expected to be included in a forthcoming release (version 4.33).
4. Users are urged to update their Docker installations to the latest version to mitigate potential threats, even though there is no mention of CVE-2024-41110 being exploited in the wild.
5. Earlier this year, Docker also moved to patch a set of flaws dubbed Leaky Vessels that could enable an attacker to gain unauthorized access to the host filesystem and break out of the container.
6. The use of containers has become an integrated part of cloud infrastructure, but they are susceptible to various attack techniques like container escapes, as highlighted in a report by Palo Alto Networks Unit 42.
7. Users of Docker commercial products and internal infrastructure who do not rely on AuthZ plugins are unaffected by the vulnerability.
It’s important for users to stay updated on security patches and follow best practices to ensure the security of their Docker environments.