安全公告详情

NS-SA-2022-0018

2022-05-08 18:10:49

简介

moderate: docker-ce security update

严重级别

moderate

主题

An update for docker-ce is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

docker-ce: Docker is an open source project to build, ship and run any application as a lightweight container. Docker containers are both hardware-agnostic and platform-agnostic. This means they can run anywhere, from your laptop to the largest EC2 compute instance and everything in between - and they don't require you to use a particular language, framework or packaging system. That makes them great building blocks for deploying and scaling web apps, databases, and backend services without depending on a particular stack or provider.


Security Fix(es):
docker-ce: A file permissions vulnerability was found in Moby (Docker Engine). Copying files by using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host's filesystem, which might lead to permissions escalation and allow an attacker access to restricted data.(CVE-2021-41089)
docker-ce: A file permissions vulnerability was found in the Moby (Docker Engine). The Moby data directory (usually /var/lib/docker) contains subdirectories with insufficiently restricted permissions, allowing unprivileged Linux users to traverse directory contents and execute programs. When the running container contains executable programs with the extended permission bits (like setuid), unprivileged Linux users can discover and execute those programs. Additionally, when the UID of an unprivileged Linux user on the host collides with the file owner or group inside a container, the unprivileged Linux user on the host can discover, read, and modify those files. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2021-41091)
docker-ce: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F39B5.

影响组件

  • docker-ce

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["docker-ce-17.03.3-1.el7.2112010525gitecf9c0c.x86_64.rpm","docker-ce-debuginfo-17.03.3-1.el7.2112010525gitecf9c0c.x86_64.rpm"],"source":"docker-ce-17.03.3-1.el7.2112010525gitecf9c0c.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["docker-ce-17.03.3-1.el7.2112010525gitecf9c0c.x86_64.rpm","docker-ce-debuginfo-17.03.3-1.el7.2112010525gitecf9c0c.x86_64.rpm"],"source":"docker-ce-17.03.3-1.el7.2112010525gitecf9c0c.src.rpm"}]}]}

CVE

参考