我們使用 cookie 來幫助我們改善網頁體驗。請閱讀我們的 Cookie 政策

AS-2024-001: Docker Engine

2024-03-13

Severity

Important

Status

Resolved


Statement

Multiple Vulnerabilities in runc, BuildKit, and Docker Engine that have been fixed in the latest release of Docker Engine and related modules.

CVE-2024-21626 and CVE-2024-24557 affected ASUSTOR products with ADM 4.2 and ADM 4.0 which the Docker Engine are installed. Updates with new Docker Engine version will be released as soon as possible.

  • Docker Engine v23.0.5.r1 has been updated on the App Central for ADM 4.2 and ADM 4.0 to resolve the issues.

Affected Products

Product Severity Fixed Release Availability
ADM 4.2 and 4.1 Important Upgrade to Docker Engine v23.0.5.r1 or above.
ADM 4.0 for x86-64 models Important Upgrade to Docker Engine v23.0.5.r1 or above

Detail

  • CVE-2024-21626
    • Severity: High
    • runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
  • CVE-2024-24557
    • Severity: Medium
    • Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.

Reference


Revision

Revision Date Description
1 2024-02-15 Initial public release.
2 2024-03-13 Release Docker Engine v25.0.3.r1 for fixing the issues.