Docker Releases Security Update to Fix Long-Standing Permission Bypass Vulnerability, Urges Users to Upgrade Promptly

Virtualization and container service developer Docker recently released a security update to address a critical security vulnerability in certain versions of Docker Engine, which could allow attackers to bypass authorization plugins under some circumstances.

This vulnerability was initially discovered and addressed in the Docker Engine v18.09.1 release in January 2019. However, due to some reasons, the fix did not take effect in subsequent releases, leaving all later versions vulnerable.

The flaw was rediscovered in April 2024, and it wasn't until today that the Docker team released security patches for all supported versions of Docker Engine to completely rectify this security loophole.

It remains unclear whether attackers have exploited this vulnerability to access unauthorized Docker containers over the past five years. Nonetheless, it is highly recommended for Docker users to immediately upgrade to the latest version.

Vulnerability Overview:

Identified as CVE-2024-41110, with a CVSS score of a perfect 10, attackers could send specially crafted API requests with a Content-Length of 0, tricking the Docker daemon into forwarding these requests to the AuthZ authorization plugin.

Typically, API requests contain necessary data in the request body, which the authorization plugin checks to make access control decisions—lack of information typically results in access denial.

However, when the content length is set to 0, the authentication plugin fails to perform proper validation, posing a risk of unauthorized privilege escalation to Docker.

Affected Versions:

Versions affected if using authentication plugins include Docker Engine v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0.

Users not utilizing authentication plugins will not be affected. The core of this vulnerability is the authentication plugin, and without it, all versions, as well as Docker commercial products, are unaffected.

Docker has released versions v23.0.14 and v27.1.0 to address this issue. It's worth noting that Docker Desktop v4.32.0 is also vulnerable, and Docker plans to fix this in the upcoming v4.33.0 release.

For users unable to upgrade promptly, it's advised to disable the AuthZ authentication plugin and restrict Docker API access to only trusted users, denying access to all others.

Authentication plugin issue Docker(1)Docker(5)Docker Desktop(2)Docker Engine(1)

Copyright Notice:
Thank you for reading. This article was written by Landian News, and the author is Brook.X. If you wish to repost this article, please include a link to the original: https://landian.news/article/2830.html

{{userData.name}}

Docker Releases Security Update to Fix Long-Standing Permission Bypass Vulnerability, Urges Users to Upgrade Promptly

Docker apologizes: promises not to delete images of open source projects, but free accounts will still be deleted

Apple Files Copyright Complaint Against Docker, Leading to the Removal of Docker-OSX Project

Docker Desktop Now Available in a Native Version for Windows on Arm

Canonical Announces New 12-Year Long-Term Support Plan: Custom Docker Images for Enterprises with Security Update Support

Docker-OSX Repository Removed for Copyright Infringement, GitHub Still Hosts Resources

MAS v2.8: The Ultimate Free Activation Script for Windows & Office

Arc Browser Halts Development: What's Next for The Browser Company?

Microsoft Once Again Delays the Launch of Windows Recall, Citing the Need for Further Refinement

Apple No Longer Requires Developers to Be in the EU for Debugging iOS Alternative Browser Engines/NFC, etc.

OpenAI's ChatGPT for Windows/Mac Client Introduces Advanced Real-Time Voice Features

Apple Allows EU Users to Delete Core Apps Like App Store and Photos in iOS 18.2

Apple Blocks Methods to Bypass AI Restrictions in iOS 18.2 Beta 3, Including Nugget Software

Linux Kernel Project Removes Entries of Several Russian Contributors Due to "Compliance Requirements"