CVE-2016-6595
https://notcve.org/view.php?id=CVE-2016-6595
The SwarmKit toolkit 1.12.0 for Docker allows remote authenticated users to cause a denial of service (prevention of cluster joins) via a long sequence of join and quit actions. NOTE: the vendor disputes this issue, stating that this sequence is not "removing the state that is left by old nodes. At some point the manager obviously stops being able to accept new nodes, since it runs out of memory. Given that both for Docker swarm and for Docker Swarmkit nodes are *required* to provide a secret token (it's actually the only mode of operation), this means that no adversary can simply join nodes and exhaust manager resources. We can't do anything about a manager running out of memory and not being able to add new legitimate nodes to the system. • http://www.openwall.com/lists/oss-security/2016/08/04/1 http://www.openwall.com/lists/oss-security/2016/09/02/1 http://www.openwall.com/lists/oss-security/2016/09/02/8 http://www.securityfocus.com/bid/92195 http://www.securitytracker.com/id/1036548 • CWE-399: Resource Management Errors •
CVE-2016-8867 – docker: Ambient capability usage in containers
https://notcve.org/view.php?id=CVE-2016-8867
Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes. Docker Engine 1.12.2 habilitó capacidades ambientales con políticas de capacidad mal configuradas. Esto permitió a imágenes maliciosas eludir los permisos de usuario de acceso a archivos dentro del contenedor filesystem o volúmenes montados. The runc version as used in docker 1.12.2 was incorrectly setting ambient capabilities for all processes executed inside containers. • http://www.securityfocus.com/bid/94228 http://www.securitytracker.com/id/1037203 https://www.docker.com/docker-cve-database https://access.redhat.com/security/cve/CVE-2016-8867 https://bugzilla.redhat.com/show_bug.cgi?id=1390163 https://access.redhat.com/security/vulnerabilities/runc-regression-docker • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2016-3697 – docker: privilege escalation via confusion of usernames and UIDs
https://notcve.org/view.php?id=CVE-2016-3697
libcontainer/user/user.go in runC before 0.1.0, as used in Docker before 1.11.2, improperly treats a numeric UID as a potential username, which allows local users to gain privileges via a numeric username in the password file in a container. libcontainer/user/user.go en runC en versiones anteriores a 0.1.0, tal como se utiliza en Docker en versiones anteriores a 1.11.2, trata indebidamente un UID numérico como un nombre de usuario potencial, lo que permite a usuarios locales obtener privilegios a través de un nombre de usuario numérico en el archivo password en un contenedor. It was found that Docker would launch containers under the specified UID instead of a username. An attacker able to launch a container could use this flaw to escalate their privileges to root within the launched container. • http://lists.opensuse.org/opensuse-updates/2016-05/msg00111.html http://rhn.redhat.com/errata/RHSA-2016-1034.html http://rhn.redhat.com/errata/RHSA-2016-2634.html https://github.com/docker/docker/issues/21436 https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091 https://github.com/opencontainers/runc/pull/708 https://github.com/opencontainers/runc/releases/tag/v0.1.0 https://security.gentoo.org/glsa/201612-28 https://access.redhat.com/security/cve/CVE- • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2015-3627
https://notcve.org/view.php?id=CVE-2015-3627
Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image. Libcontainer and Docker Engine anterior a 1.6.1 abre el descriptor de ficheros pasado al proceso pid-1 antes de realizar el chroot, lo que permite a usuarios locales ganar privilegios a través de una ataque de enlace simbólico en una imagen. • http://lists.opensuse.org/opensuse-updates/2015-05/msg00023.html http://packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.html http://seclists.org/fulldisclosure/2015/May/28 https://groups.google.com/forum/#%21searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJ • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2015-3630
https://notcve.org/view.php?id=CVE-2015-3630
Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image. Docker Engine anterior a 1.6.1 utiliza permisos débiles para (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, y (4) /proc/fs, lo que permite a usuarios locales modificar el anfitrión, obtener información sensible y realizar ataques de la degradación de protocolos a través de una imagen manipulada. • http://lists.opensuse.org/opensuse-updates/2015-05/msg00023.html http://packetstormsecurity.com/files/131835/Docker-Privilege-Escalation-Information-Disclosure.html http://seclists.org/fulldisclosure/2015/May/28 http://www.securityfocus.com/bid/74566 https://groups.google.com/forum/#%21searchin/docker-user/1.6.1/docker-user/47GZrihtr-4/nwgeOOFLexIJ • CWE-264: Permissions, Privileges, and Access Controls •