SoylentNews is people
SoylentNews
All versions of Docker are currently vulnerable to a race condition that could give an attacker both read and write access to any file on the host system. Proof-of-concept code has been released.
The flaw is similar to CVE-2018-15664 and it offers a window of opportunity for hackers to modify resource paths after resolution but before the assigned program starts operating on the resource. This is known as a time-to-check-time-to-use (TOCTOU) type of bug.
This discussion has been archived.
No new comments can be posted.
Unpatched Flaw Affects All Docker Versions, Exploits Ready
|
Log In/Create an Account
| Top
| 15 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Remember the good old days, when CPU was singular?
(Score: 2, Interesting) by Anonymous Coward on Thursday May 30 2019, @12:01AM (2 children)
It is not a breakout from the container but a privilege escalation where the user authorized to manage container can become root. Were I work people with acces to docker-cli are sudoers to root so from the point of view of my organisation it is not a vulnerability.
(Score: 2) by HiThere on Thursday May 30 2019, @12:32AM (1 child)
Can I suggest that this is another reason that sudo is a very bad idea? And unless you're saying that nobody has access to docker-cli, it's a major problem at your site?
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 0) by Anonymous Coward on Thursday May 30 2019, @01:05AM
If you give sudo to untrustworthy people sure it a problem, but in a small team it's not.