www.docker.com
Open in
urlscan Pro
141.193.213.20
Public Scan
URL:
https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/
Submission: On July 28 via api from IN — Scanned from US
Submission: On July 28 via api from IN — Scanned from US
Form analysis
2 forms found in the DOMPOST /search
<form data-sf-form-id="32372" data-is-rtl="0" data-maintain-state="" data-results-url="/search" data-ajax-form-url="https://www.docker.com/?sfid=32372&sf_action=get_data&sf_data=form" data-display-result-method="shortcode"
data-use-history-api="1" data-template-loaded="0" data-lang-code="en" data-ajax="0" data-init-paged="1" data-auto-update="" action="/search" method="post" class="searchandfilter" id="search-filter-form-32372" autocomplete="off"
data-instance-count="1">
<ul>
<li class="sf-field-search" data-sf-field-name="search" data-sf-field-type="search" data-sf-field-input-type=""> <label><span class="screen-reader-text">search</span><input placeholder="" name="_sf_search[]" class="sf-input-text _ar_hide_"
type="text" value="" title="search" _ar_hide_="width:24px;height:46px;margin:0px;position:static;display:inline-block;"></label> </li>
<li class="sf-field-submit" data-sf-field-name="submit" data-sf-field-type="submit" data-sf-field-input-type=""><input type="submit" name="_sf_submit" value="Search"></li>
</ul>
</form>
POST /search
<form data-sf-form-id="32372" data-is-rtl="0" data-maintain-state="" data-results-url="/search" data-ajax-form-url="https://www.docker.com/?sfid=32372&sf_action=get_data&sf_data=form" data-display-result-method="shortcode"
data-use-history-api="1" data-template-loaded="0" data-lang-code="en" data-ajax="0" data-init-paged="1" data-auto-update="" action="/search" method="post" class="searchandfilter" id="search-filter-form-32372" autocomplete="off"
data-instance-count="1">
<ul>
<li class="sf-field-search" data-sf-field-name="search" data-sf-field-type="search" data-sf-field-input-type=""> <label><span class="screen-reader-text">search</span><input placeholder="" name="_sf_search[]" class="sf-input-text _ar_hide_"
type="text" value="" title="search" _ar_hide_="width:100%;height:46px;margin:0px;position:static;display:inline-block;"></label> </li>
<li class="sf-field-submit" data-sf-field-name="submit" data-sf-field-type="submit" data-sf-field-input-type=""><input type="submit" name="_sf_submit" value="Search"></li>
</ul>
</form>
Text Content
Docs Get support Contact sales * * Products Products * Docker DesktopContainerize your applications * Docker HubDiscover and share container images * Docker ScoutSimplify the software supply chain * Docker Build CloudSpeed up your image builds * Testcontainers Desktop Local testing with real dependencies * Testcontainers Cloud Test without limits in the cloud * See our product roadmap MORE resources for developers Docker Desktop v4.32 Find out what’s new to Docker Desktop in the latest release Read more * Developers Developers * Documentation Find guides for Docker products * Getting StartedLearn the Docker basics * ResourcesSearch a library of helpful materials * TrainingSkill up your Docker knowledge * Extensions SDKCreate and share your own extensions * CommunityConnect with other Docker developers * Open SourceExplore open source projects * Preview ProgramHelp shape the future of Docker * Customer StoriesGet inspired with customer stories * Get the latest Docker news MORE resources for developers 2024 State Of Application Development Report A deep-focus snapshot of the evolving software development world Read more Case Study: CDS How CDS embraced cloud native development with Docker Read more * Pricing * Support * Blog * Company Company * About UsLet us introduce ourselves * What is a Container?Learn about containerization * Why DockerDiscover what makes us different * TrustFind our customer trust resources * PartnersBecome a Docker partner * Customer SuccessLearn how you can succeed with Docker * EventsAttend live and virtual meet ups * Docker Store Gear up with exclusive SWAG * CareersApply to join our team * Contact UsWe’d love to hear from you Company Docker Announces SOC 2 Type 2 Attestation & ISO 27001 Certification Learn what this means for Docker security and compliance Read more * Get started * Docs * Get support * Contact sales * * search * Sign In Get started * * search * * Products Products * Docker DesktopContainerize your applications * Docker HubDiscover and share container images * Docker ScoutSimplify the software supply chain * Docker Build CloudSpeed up your image builds * Testcontainers Desktop Local testing with real dependencies * Testcontainers Cloud Test without limits in the cloud * See our product roadmap MORE resources for developers Docker Desktop v4.32 Find out what’s new to Docker Desktop in the latest release Read more * Developers Developers * Documentation Find guides for Docker products * Getting StartedLearn the Docker basics * ResourcesSearch a library of helpful materials * TrainingSkill up your Docker knowledge * Extensions SDKCreate and share your own extensions * CommunityConnect with other Docker developers * Open SourceExplore open source projects * Preview ProgramHelp shape the future of Docker * Customer StoriesGet inspired with customer stories * Get the latest Docker news MORE resources for developers 2024 State Of Application Development Report A deep-focus snapshot of the evolving software development world Read more Case Study: CDS How CDS embraced cloud native development with Docker Read more * Pricing * Support * Blog * Company Company * About UsLet us introduce ourselves * What is a Container?Learn about containerization * Why DockerDiscover what makes us different * TrustFind our customer trust resources * PartnersBecome a Docker partner * Customer SuccessLearn how you can succeed with Docker * EventsAttend live and virtual meet ups * Docker Store Gear up with exclusive SWAG * CareersApply to join our team * Contact UsWe’d love to hear from you Company Docker Announces SOC 2 Type 2 Attestation & ISO 27001 Certification Learn what this means for Docker security and compliance Read more * Get started * Docs * Get support * Contact sales * Sign In Get started DOCKER SECURITY ADVISORY: AUTHZ PLUGIN BYPASS REGRESSION IN DOCKER ENGINE Gabriela Georgieva Certain versions of Docker Engine have a security vulnerability that could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. This advisory outlines the issue, identifies the affected versions, and provides remediation steps for impacted users. PROBLEM Docker’s default authorization model is all-or-nothing. Users with access to the Docker daemon can execute any Docker command. For greater access control, authorization plugins (AuthZ) can be used. These plugins approve or deny requests to the Docker daemon based on authentication and command context. In 2018, a security issue was discovered where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later versions, resulting in a regression. VULNERABILITY DETAILS * AuthZ bypass and privilege escalation: An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly if not set to deny by default. * Initial fix: The issue was fixed in Docker Engine v18.09.1 January 2019. * Regression: The fix was not included in Docker Engine v19.03 or newer versions. This was identified in April 2024 and patches were released for the affected versions on July 23, 2024. The issue was assigned CVE-2024-41110. AFFECTED VERSIONS Affected versionsPatched versions<= v19.03.15, <= v20.10.27, <= v23.0.14, <= v24.0.9, <= v25.0.5, <= v26.0.2, <= v26.1.4, <= v27.0.3, <= v27.1.0> v23.0.14, >26.1.4, > v27.1.0 WHO IS IMPACTED? * Users of Docker Engine v19.03.x and later versions who rely on authorization plugins to make access control decisions. WHO IS NOT IMPACTED? * Users of Docker Engine v19.03.x and later versions who do not rely on authorization plugins to make access control decisions and users of all versions of Mirantis Container Runtime are not vulnerable. * Users of Docker commercial products and internal infrastructure who do not rely on AuthZ plugins are unaffected. IMPACT ON DOCKER DESKTOP * Docker Desktop up to v4.32.0 includes affected versions of Docker Engine. * The impact for Docker Desktop is limited compared to production environments. * Exploitation requires access to the Docker API, which usually means the attacker needs to already have local access to the host machine, unless the Docker daemon is insecurely exposed over TCP. * Default Docker Desktop configuration does not include AuthZ plugins. * Privilege escalation is limited to the Docker Desktop VM, not the underlying host. * A patched version of Docker Engine will be included in Docker Desktop v4.33. REMEDIATION STEPS 1. Update Docker Engine: * If you are running an affected version, update to the most recent patched version. 2. Mitigation if unable to update immediately: * Avoid using AuthZ plugins. * Restrict access to the Docker API to trusted parties, following the principle of least privilege. 3. Update Docker Desktop: * If using an affected version, update to Docker Desktop 4.33 after it is released. * Ensure AuthZ plugins are not used and do not expose the Docker API over TCP without protection. * Docker Business subscribers can use Settings Management to enforce secure settings. LEARN MORE * See the GitHub security advisory. * Authenticate and update to receive your subscription level’s newest Docker Desktop features. * New to Docker? Create an account. * Subscribe to the Docker Newsletter. Docker Desktop, Docker engine, security 3 WAYS CARIAD CONFIGURES DOCKER BUSINESS FOR SECURITY AND COMPLIANCE By Briana Swift July 25, 2024 EMPOWERING DEVELOPERS WITH DOCKER: SIMPLIFYING COMPLIANCE AND ENHANCING SECURITY FOR SOC 2, ISO 27001, FEDRAMP, AND MORE By Rachel Taylor July 24, 2024 LOCAL LLM MESSENGER: CHAT WITH GENAI ON YOUR IPHONE By Ajeet Singh Raina July 23, 2024 POSTED Jul 23, 2024 * * * POST TAGS Docker DesktopDocker enginesecurity CATEGORIES * Community * Company * Engineering * Products * Products * Docker Desktop * Docker Hub * Docker Scout * Docker Build Cloud * Features * Command Line Interface * IDE Extensions * Container Runtime * Docker Extensions * Trusted Open Source Content * Secure Software Supply Chain * Product Roadmap * Developers * Documentation * Getting Started * Trainings * Extensions SDK * Community * Open Source * Preview Program * Pricing * Personal * Pro * Team * Business * Pricing FAQ * Contact Sales * Support * Docker System Status * Blog * Newsletter * Company * About Us * What is a Container * Why Docker * Trust * Customer Success * Partners * Events * Newsroom * Swag Store * Brand Guidelines * Trademark Guidelines * Careers * Contact Us * Languages * English * 日本語 * * * * * * © 2024 Docker Inc. All rights reserved|Terms of Service|Privacy|Legal Do Not Sell My Personal Information This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Do Not Sell My Personal Information Accept Cookies DO NOT SELL MY PERSONAL INFORMATION When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link. More information Allow All MANAGE CONSENT PREFERENCES STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. SALE OF PERSONAL DATA Sale of Personal Data Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link. If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences. * PERFORMANCE COOKIES Switch Label label These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. * TARGETING COOKIES Switch Label label These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Back Button COOKIE LIST Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Confirm My Choices