Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 11 Jan 2017 04:28:20 +0000
From: Trevor Jay <tjay@...hat.com>
To: docker-user@...glegroups.com
Cc: docker-dev@...glegroups.com, oss-security@...ts.openwall.com
Subject: Re: Docker 1.12.6 - Security Advisory

A FYI for Red Hat and Fedora users: we have rated this CVE as having moderate impact to our users and are currently testing backports of this patch for 1.12.5. More info:

    https://access.redhat.com/ringwraith
    https://bugzilla.redhat.com/show_bug.cgi?id=1409531
    https://access.redhat.com/security/cve/CVE-2016-9962

To mitigate this even without the patch, you can remove `ptrace` from your seccomp whitelist. ACS such as SELinux (not sure about AppArmor) will keep container processes from accessing external file descriptors. Of course, you can prevent these kind of attacks completely (modulo kernel bugs) by never running privileged containers or giving them CAP_SYS_PTRACE in the first place.

Great work on the flaw and patch. An extremely interesting vulnerability.

_Trevor

-- 
Sent from my Casio Loopy.
(Trevor Jay) Red Hat Product Security
gpg-key: https://ssl.montrose.is/chat/gpg-key

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ