Описание
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
A flaw was discovered in the API endpoint behind the 'docker cp' command. The endpoint is vulnerable to a Time Of Check to Time Of Use (TOCTOU) vulnerability in the way it handles symbolic links inside a container. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container.
Отчет
All versions of docker prior to the fix are vulnerable to this flaw. For clarity, in the "Affected Packages State" table, we only include OpenShift Container Platform (OCP) versions 3.7 and below because for these versions docker was shipped as part of the release. For all subsequent versions of OCP until 3.11, docker is installed from the RHEL Extras repository meaning clusters will be vulnerable to the flaw unless an updated docker package has been applied. Red Hat Fuse provides only the Docker client library and is not affected by this vulnerability.
Меры по смягчению последствий
Stopping a container prior to running "docker cp" removes the TOCTOU vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | docker | Not affected | ||
| Red Hat OpenShift Container Platform 3.4 | docker | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.5 | docker | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.6 | docker | Will not fix | ||
| Red Hat OpenShift Container Platform 3.7 | docker | Will not fix | ||
| Red Hat Enterprise Linux 7 Extras | docker | Fixed | RHSA-2019:1910 | 29.07.2019 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen filesystem (or from within a chroot).
In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker ...
7.5 High
CVSS3