If you’re using Docker, the open source platform for building, shipping and running distributed applications on almost any platform, be sure to update to the latest version (v1.3.2), as all previous ones sport a critical bug that can be misused by an attacker to gain elevated privileges execute malicious code remotely.
The update was released on Monday – for all supported platforms – and can be picked up here.
“The Docker engine, up to and including version 1.3.1, was vulnerable to extracting files to arbitrary paths on the host during “docker pull’ and “docker load’ operations. This was caused by symlink and hardlink traversals present in Docker’s image extraction,” the company behind the software explained the problem in a security advisory.
“Docker 1.3.2 remedies this vulnerability. Additional checks have been added to pkg/archive and image extraction is now performed in a chroot. No remediation is available for older versions of Docker and users are advised to upgrade,” they urged.
The latest version also solves a critical bug that could lead to container escalation, and includes several other changes that will improve usability.
The discovery of the privilege escalation vulnerability (CVE-2014-6407) has been attributed to Florian Weimer of the Red Hat security team and to independent researcher Tõnis Tiigi.