exploit the possibilities

Red Hat Security Advisory 2017-0116-01

Red Hat Security Advisory 2017-0116-01
Posted Jan 18, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-0116-01 - Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere. The following packages have been upgraded to a newer upstream version: docker. Security Fix: The runc component used by `docker exec` feature of docker allowed additional container processes via to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain low-level access to these new processes during initialization. An attacker can, depending on the nature of the incoming process, leverage this to elevate access to the host. This ranges from accessing host content through the file descriptors of the incoming process to, potentially, a complete container escape by leveraging memory access or syscall interception.

tags | advisory, root
systems | linux, redhat
advisories | CVE-2016-9962
MD5 | ecf797385bf59e4b40139ca438a73b42

Red Hat Security Advisory 2017-0116-01

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: docker security, bug fix, and enhancement update
Advisory ID: RHSA-2017:0116-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0116.html
Issue date: 2017-01-17
CVE Names: CVE-2016-9962
=====================================================================

1. Summary:

An update for docker is now available for Red Hat Enterprise Linux 7
Extras.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux 7 Extras - x86_64

3. Description:

Docker is an open-source engine that automates the deployment of any
application as a lightweight, portable, self-sufficient container that will
run virtually anywhere.

The following packages have been upgraded to a newer upstream version:
docker (1.12.5). (BZ#1404298)

Security Fix(es):

* The runc component used by `docker exec` feature of docker allowed
additional container processes via to be ptraced by the pid 1 of the
container. This allows the main processes of the container, if running as
root, to gain low-level access to these new processes during
initialization. An attacker can, depending on the nature of the incoming
process, leverage this to elevate access to the host. This ranges from
accessing host content through the file descriptors of the incoming process
to, potentially, a complete container escape by leveraging memory access or
syscall interception. (CVE-2016-9962)

Red Hat would like to thank the Docker project for reporting this issue.
Upstream acknowledges Aleksa Sarai (SUSE) and Tonis Tiigi (Docker) as the
original reporters.

Bug Fix(es):

* The docker containers and images did not read proxy variables from the
environment when contacting registries. As a consequence, a user could not
pull image when the system was configured to use a proxy. The containers
and images have been fixed to read proxy variables from the environment,
and pulling images now from a system with a proxy works correctly.
(BZ#1393816)

* Occasionally the docker-storage-setup service could start before a thin
pool is ready which caused it to failed. As a consequence, the docker
daemon also failed. This bug has been fixed and now docker-storage-setup
waits for a thin pool to be created for 60 seconds. This default time can
be configured. As a result, docker and docker-storage-setup start correctly
upon reboot. (BZ#1316786)

* Previously, the docker daemon's unit file was not supplying the userspace
proxy path. As a consequence, containers that exposed ports could not be
started. To fix this bug, the unit file was updated to include the
userspace proxy path option to the daemon start command, along with several
other minor packaging fixes. As a result, containers that expose ports can
now be started as expected. (BZ#1406460)

* Previously, the system CA (Certificate Authority) pool was excluded when
the registry CA is used from the /etc/docker/certs.d/ directory. As a
consequence, pulling images failed with the following error:

Failed to push image: x509: certificate signed by unknown authority

This bug has been fixed and docker now reads the system CA pool correctly
and pulling images now work correctly. (BZ#1400372)

* Previously, the docker daemon option did not handle correctly the
"--block-registry docker.io" option. As a consequence, docker allowed
pulling images from docker.io even when the "--block-registry docker.io"
option was enabled. This update fixed the handling of the option, and now
using "--block-registry docker.io" correctly blocks image pulling.
(BZ#1395401)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1316786 - Docker can activate storage before LVM is ready, causing "Failed to start Docker Application Container Engine."
1341760 - docker should require package subscription-manager-plugin-container, not subscription-manager
1346206 - docker command overwrites DOCKER_CERT_PATH variable
1360195 - docker module at lower priority 100 with module at priority 400 when update and downgrade
1364238 - docker-1.12 regression: inconsistent exit codes in command-line flag processing
1373952 - [extras-rhel-7.3.0] selinux issues prevent docker.service from starting
1385924 - docker run --cgroup-parent : unexpected result for pid
1388585 - yum update to Red Hat docker 1.12 omits docker-storage EnvironmentFile entry from systemd unit
1389442 - docker-1.12 can not pull image:tag from brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888
1393816 - [1.12.3]docker didn't work behind proxy
1395401 - block-registry does not work for docker.io with docker 1.10
1399398 - Error starting daemon: Error initializing network controller: Error creating default \"bridge\" network: cannot create network docker0
1400228 - Ability to disable subscription-manager-into-containers host-wide
1400372 - System CA pool excluded when registry CA is used from /etc/docker
1403264 - systemctl start docker for docker-1.12.3-10.el7.x86_64 fails to start
1403270 - Upgrade to RHEL Atomic 7.3.1 breaks the sshd authentication via SSSD
1403370 - failed to install selinux policies from containers-selinux when installing docker 1.12
1403843 - Installing container-selinux-1.12.3-10.el7.x86_64 produces errors
1404298 - [extras-rhel-7.3.2] rebase docker to v1.12.4 + projectatomic patches
1404372 - docker-1.12: exec: "docker-proxy": executable file not found in $PATH.
1405306 - docker run with parameter "--privileged" get failed
1405464 - docker panic trying to 'atomic install' the openscap container
1405888 - container-selinux breaks anytime selinux-policy-targeted is updated
1405989 - Attempt to install latest docker fails due to /libexecdir/docker/sh dependency
1406446 - Default to no signatures verification in docker
1409531 - CVE-2016-9962 docker: insecure opening of file-descriptor allows privilege escalation
1410434 - Docker 1.12.5 and OpenShift 3.4.0.38 : Frequent unexpected EOF during push causing build failures
1412385 - [extras-rhel-7.3.2] selinux issues

6. Package List:

Red Hat Enterprise Linux 7 Extras:

Source:
docker-1.12.5-14.el7.src.rpm

x86_64:
container-selinux-1.12.5-14.el7.x86_64.rpm
docker-1.12.5-14.el7.x86_64.rpm
docker-client-1.12.5-14.el7.x86_64.rpm
docker-common-1.12.5-14.el7.x86_64.rpm
docker-logrotate-1.12.5-14.el7.x86_64.rpm
docker-lvm-plugin-1.12.5-14.el7.x86_64.rpm
docker-novolume-plugin-1.12.5-14.el7.x86_64.rpm
docker-rhel-push-plugin-1.12.5-14.el7.x86_64.rpm
docker-v1.10-migrator-1.12.5-14.el7.x86_64.rpm

Red Hat Enterprise Linux 7 Extras:

Source:
docker-1.12.5-14.el7.src.rpm

x86_64:
container-selinux-1.12.5-14.el7.x86_64.rpm
docker-1.12.5-14.el7.x86_64.rpm
docker-client-1.12.5-14.el7.x86_64.rpm
docker-common-1.12.5-14.el7.x86_64.rpm
docker-logrotate-1.12.5-14.el7.x86_64.rpm
docker-lvm-plugin-1.12.5-14.el7.x86_64.rpm
docker-novolume-plugin-1.12.5-14.el7.x86_64.rpm
docker-rhel-push-plugin-1.12.5-14.el7.x86_64.rpm
docker-v1.10-migrator-1.12.5-14.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-9962
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/security/vulnerabilities/cve-2016-9962

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYfyEUXlSAg2UNWIIRApDXAKCRBiBH+9wKesI08XZoIVTvu7DEdwCeNzMQ
IhQpU3X4wDJ68mkUTHh70KA=
=mDIf
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close