Moby is an open-source project created by Docker to enable software
containerization. The classic builder cache system is prone to cache
poisoning if the image is built FROM scratch. Also, changes to some
instructions (most important being HEALTHCHECK and ONBUILD) would not cause
a cache miss. An attacker with the knowledge of the Dockerfile someone is
using could poison their cache by making them pull a specially crafted
image that would be considered as a valid cache candidate for some build
steps. 23.0+ users are only affected if they explicitly opted out of
Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build
API endpoint. All users on versions older than 23.0 could be impacted.
Image build API endpoint (/build) and ImageBuild function from
github.com/docker/docker/client is also affected as it the uses classic
builder by default. Patches are included in 24.0.9 and 25.0.2 releases.
Notes
Author |
Note |
alexmurray |
Traditionally the docker.io source package contained both the library and docker application. However, in releases that contain the docker.io-app source package, the docker.io source package contains only the library whilst the docker application itself is contained in the docker.io-app package. |