10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
In the past year, the container being at an amazing speed of development, the country also has a large number of Internet companies in the production environment using Docker, which are also million units of the scale. The other day the clouds exposed Swarm configuration problem caused by the security risks, but also to let everyone on Docker security filed a concern, this article mainly from the“Docker’s own security”,“DockerImages security”and“Docker using the safety hazard”to talk about Docker security of those things.
0x01 Docker for their own safety
Normalized summed up under the CVE on the Docker vulnerability report,results are as follows:
Number
CVE number
Vulnerability version
Vulnerability name
1
CVE-2 0 1 5-3 6 3 0
1.6.0
Docker Libcontainer security bypass vulnerability
2
CVE-2 0 1 5-3 6 2 7
1.6.1
Libcontainer and Docker Engine licenses, and access control vulnerability
3
CVE-2 0 1 5-3 6 3 0
1.6.1
The Docker Engine security bypass vulnerability
4
CVE-2 0 1 4-9 3 5 8
1.3.3
The Docker directory traversal vulnerability
5
CVE-2 0 1 4-9 3 5 7
1.3.2
Docker licenses, and access control vulnerability
6
CVE-2 0 1 4-6 4 0 8
1.3.1
Docker licenses, and access control vulnerability
7
CVE-2 0 1 4-5 2 7 7
1.3.0
Docker and docker-py code injection vulnerability
All of the vulnerabilities: https://docs.docker.com/engine/security/non-events/
Can be found in Docker there is a problem of the version are in 1. 3 and 1. 6, because the access control and other problems can result from the container get into the host machine permissions. Docker in the 6 month released the latest version 1. 1 2 Version, from 1. 6 to now 1. 1 2 are not broke loopholes in the case, excluding the Oday possible. Based on Docker itself in terms of security can be guaranteed, whether it is the container of the isolation or resource limitations of the container has a very excellent performance, more safety problems on the user, because there is no correct use of a container or a configuration error resulting in the container of the dangerous run.
0x02 DockerImages security
The container environment is based on the container image, once the container image there is a risk then the container security can be greatly reduced. We see the container image is based on Dockerfile layer of the layer stack, as shown below:
! [](/Article/UploadPic/2016-7/2 0 1 6 7 6 1 1 5 3 1 2 3 1 1. png)
The underlying Base mirror references“atiger77:1.0”, and the second layer a mirror on top of this add run. sh script to the container directory, and the third layer of the mirror refers to the container the runtime execution run. sh script. The Docker image has its own caching mechanism, building when going layer by layer to be on the check, the underlying mirroring if there is no change, then skip the build using a mirrored Cache to save build time, if it detects a change then start the build action.
This is mainly divided into two cases to discuss the container image of security.
SoftwareVulnerability for mirroring, the software used in the presence of high-risk vulnerabilities
BadImages exist the back door of the container mirroring