Browse code
docs: add security non-events
Signed-off-by: Jess Frazelle <jess@mesosphere.com>
Signed-off-by: Jess Frazelle <me@jessfraz.com>
Jess Frazelle authored on 2016/05/08 09:19:17Showing 1 changed files
| 1 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,84 @@ |
| 0 |
+<!--[metadata]> |
|
| 1 |
+title = "Docker Security Non-events" |
|
| 2 |
+description = "Review of security vulnerabilities Docker mitigated" |
|
| 3 |
+keywords = ["Docker, Docker documentation, security, security non-events"] |
|
| 4 |
+[menu.main] |
|
| 5 |
+parent = "smn_secure_docker" |
|
| 6 |
+weight =-99 |
|
| 7 |
+<![end-metadata]--> |
|
| 8 |
+ |
|
| 9 |
+# Docker Security Non-events |
|
| 10 |
+ |
|
| 11 |
+This page lists security vulnerabilities which Docker mitigated, such that |
|
| 12 |
+processes run in Docker containers were never vulnerable to the bug—even before |
|
| 13 |
+it was fixed. This assumes containers are run without adding extra capabilities |
|
| 14 |
+or not run as `--privileged`. |
|
| 15 |
+ |
|
| 16 |
+The list below is not even remotely complete. Rather, it is a sample of the few |
|
| 17 |
+bugs we've actually noticed to have attracted security review and publicly |
|
| 18 |
+disclosed vulnerabilities. In all likelihood, the bugs that haven't been |
|
| 19 |
+reported far outnumber those that have. Luckily, since Docker's approach to |
|
| 20 |
+secure by default through apparmor, seccomp, and dropping capabilities, it |
|
| 21 |
+likely mitigates unknown bugs just as well as it does known ones. |
|
| 22 |
+ |
|
| 23 |
+Bugs mitigated: |
|
| 24 |
+ |
|
| 25 |
+* [CVE-2013-1956](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1956), |
|
| 26 |
+[1957](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1957), |
|
| 27 |
+[1958](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1958), |
|
| 28 |
+[1959](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1959), |
|
| 29 |
+[1979](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1979), |
|
| 30 |
+[CVE-2014-4014](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4014), |
|
| 31 |
+[5206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5206), |
|
| 32 |
+[5207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5207), |
|
| 33 |
+[7970](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7970), |
|
| 34 |
+[7975](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7975), |
|
| 35 |
+[CVE-2015-2925](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2925), |
|
| 36 |
+[8543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8543), |
|
| 37 |
+[CVE-2016-3134](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3134), |
|
| 38 |
+[3135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3135), etc.: |
|
| 39 |
+The introduction of unprivileged user namespaces lead to a huge increase in the |
|
| 40 |
+attack surface available to unprivileged users by giving such users legitimate |
|
| 41 |
+access to previously root-only system calls like `mount()`. All of these CVEs |
|
| 42 |
+are examples of security vulnerabilities due to introduction of user namespaces. |
|
| 43 |
+Docker can use user namespaces to set up containers, but then disallows the |
|
| 44 |
+process inside the container from creating its own nested namespaces through the |
|
| 45 |
+default seccomp profile, rendering these vulnerabilities unexploitable. |
|
| 46 |
+* [CVE-2014-0181](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0181), |
|
| 47 |
+[CVE-2015-3339](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3339): |
|
| 48 |
+These are bugs that require the presence of a setuid binary. Docker disables |
|
| 49 |
+setuid binaries inside containers via the `NO_NEW_PRIVS` process flag and |
|
| 50 |
+other mechanisms. |
|
| 51 |
+* [CVE-2014-4699](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4699): |
|
| 52 |
+A bug in `ptrace()` could allow privilege escalation. Docker disables `ptrace()` |
|
| 53 |
+inside the container using apparmor, seccomp and by dropping `CAP_PTRACE`. |
|
| 54 |
+Three times the layers of protection there! |
|
| 55 |
+* [CVE-2014-9529](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9529): |
|
| 56 |
+A series of crafted `keyctl()` calls could cause kernel DoS / memory corruption. |
|
| 57 |
+Docker disables `keyctl()` inside containers using seccomp. |
|
| 58 |
+* [CVE-2015-3214](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3214), |
|
| 59 |
+[4036](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4036): These are |
|
| 60 |
+bugs in common virtualization drivers which could allow a guest OS user to |
|
| 61 |
+execute code on the host OS. Exploiting them requires access to virtualization |
|
| 62 |
+devices in the guest. Docker hides direct access to these devices when run |
|
| 63 |
+without `--privileged`. Interestingly, these seem to be cases where containers |
|
| 64 |
+are "more secure" than a VM, going against common wisdom that VMs are |
|
| 65 |
+"more secure" than containers. |
|
| 66 |
+* [CVE-2016-0728](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0728): |
|
| 67 |
+Use-after-free caused by crafted `keyctl()` calls could lead to privilege |
|
| 68 |
+escalation. Docker disables `keyctl()` inside containers using the default |
|
| 69 |
+seccomp profile. |
|
| 70 |
+* [CVE-2016-2383](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2383): |
|
| 71 |
+A bug in eBPF -- the special in-kernel DSL used to express things like seccomp |
|
| 72 |
+filters -- allowed arbitrary reads of kernel memory. The `bpf()` system call |
|
| 73 |
+is blocked inside Docker containers using (ironically) seccomp. |
|
| 74 |
+ |
|
| 75 |
+Bugs *not* mitigated: |
|
| 76 |
+ |
|
| 77 |
+* [CVE-2015-3290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3290), |
|
| 78 |
+[5157](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5157): Bugs in |
|
| 79 |
+the kernel's non-maskable interrupt handling allowed privilege escalation. |
|
| 80 |
+Can be exploited in Docker containers because the `modify_ldt()` system call is |
|
| 81 |
+not currently blocked using seccomp. |