Описание
Docker Elevation of Privilege Vulnerability
Summary
CVE-2018-15664 describes a vulnerability in the Docker runtime (and the underlying community project, Moby) wherein a malicious/compromised container can acquire full read/write access to the host operating system where that container is running. The vulnerability depends on the way that the Docker runtime handles symbolic links and is most directly exploitable through the Docker copy API (‘docker cp’ in the Docker CLI).
What is the risk for Azure Kubernetes Service (AKS) and Azure IoT Edge customers?
The risk for AKS and Azure IoT Edge customers is minimal as the following need to be true:
- A container on the host must be compromised.
- The attacker must have access to the host machine, as the docker API is not exposed by default from outside of the host.
FAQ
How do I get the update for Microsoft Azure Kubernetes Service (AKS)?
There are two ways to get the update for AKS:
Any new cluster created after the July 22, 2019 release discussed in https://github.com/Azure/AKS/releases/tag/2019-07-22 will have AKS-Engine version v0.38.3 and will be protected from this vulnerability.
Any clusters that were created before July 22, 2019 must be upgraded to include AKS-Engine v0.30.3. See Upgrade an Azure Kubernetes Service (AKS) cluster for instructions on updgrading a cluster.
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
Связанные уязвимости
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker ...
EPSS