Bugzilla – Bug 976777
VUL-0: CVE-2016-3697: docker: Potential privilege escalation via confusion of usernames and UIDs
Last modified: 2018-12-14 15:12:51 UTC
rh#1329450 Container launch does not distinguish between numeric UIDs and string usernames. A malicious image can provide a username to UID mapping at a high privileged level. This means that innoculous looking launches such as: docker -u 1000 ... actually result in the image processes running as root. This ambiguity also confuses OpenShift's UID-based controls. Acknowledgments: Mrunal Patel (Red Hat) References: https://bugzilla.redhat.com/show_bug.cgi?id=1329450 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3697
This was fixed in libcontainer here[1], and in Docker upstream here[2] (which was a vendor update). We can backport this patch to 1.10.3, which (I believe) was just released. [1]: https://github.com/opencontainers/runc/commit/69af385de62ea68e2e608335cffbb0f4aa3db091 [2]: https://github.com/docker/docker/commit/da38ac6c79fe902ed0687afc73d731c95c6d491a
It should actually be noted that this doesn't just affect `docker run -u` invocations. It also affects `USER` directives in Dockerfiles.
I've opened mr#113322, which fixes this issue for SLE. I'm also going to fix Docker 1.11 for openSUSE and supersede the existing maintenance update for Docker.
This is an autogenerated message for OBS integration: This bug (976777) was mentioned in https://build.opensuse.org/request/show/391280 Factory / docker
SUSE-SU-2016:1159-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 976777 CVE References: CVE-2016-3697 Sources used: SUSE OpenStack Cloud 6 (src): docker-1.10.3-66.1 SUSE Linux Enterprise Module for Containers 12 (src): docker-1.10.3-66.1
This is an autogenerated message for OBS integration: This bug (976777) was mentioned in https://build.opensuse.org/request/show/392081 Factory / docker
This is an autogenerated message for OBS integration: This bug (976777) was mentioned in https://build.opensuse.org/request/show/392093 13.2 / docker https://build.opensuse.org/request/show/392108 13.2+42.1 / docker
This is an autogenerated message for OBS integration: This bug (976777) was mentioned in https://build.opensuse.org/request/show/393252 Factory / docker
openSUSE-SU-2016:1417-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 976777 CVE References: CVE-2016-3697 Sources used: openSUSE 13.2 (src): docker-1.9.1-56.1
This is an autogenerated message for OBS integration: This bug (976777) was mentioned in https://build.opensuse.org/request/show/412585 42.2 / docker
This has been fixed in all the relevant distributions quite a while ago (either through an update to a newer Docker version or via backport).