Reading Time: 1 minute

Docker has released a critical security updates to address security flaws in Docker versions prior to version 1.3.2. These include fixes for two critical vulnerabilities, one of which could allow an attacker to escalate privileges and execute remote code.

Docker is a popular open source project for Linux that automates application deployment of applications inside a software container.

1) The Docker engine, up to and including version 1.3.1, was vulnerable to extracting files to arbitrary paths on the host during ‘docker pull’ and ‘docker load’ operations. This was caused by symlink and hardlink traversals present in Docker’s image extraction. This vulnerability could
be leveraged to perform remote code execution and privilege escalation.

Docker 1.3.2 fixes this vulnerability.

2) Docker versions 1.3.0 through 1.3.1 allowed security options to be applied to images, allowing images to modify the default run profile of containers executing these images. This vulnerability could allow a malicious image creator to loosen the restrictions applied to a container’s processes, potentially facilitating a break-out.

Docker 1.3.2 fixes this vulnerability.