urlscan.io logo urlscan.io
SecurityTrails logo

www.docker.com Open in urlscan Pro
141.193.213.20  Public Scan

Back to summary
URL: https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/
Submission: On July 28 via api from IN — Scanned from US

Form analysis 2 forms found in the DOM

POST /search

<form data-sf-form-id="32372" data-is-rtl="0" data-maintain-state="" data-results-url="/search" data-ajax-form-url="https://www.docker.com/?sfid=32372&amp;sf_action=get_data&amp;sf_data=form" data-display-result-method="shortcode"
  data-use-history-api="1" data-template-loaded="0" data-lang-code="en" data-ajax="0" data-init-paged="1" data-auto-update="" action="/search" method="post" class="searchandfilter" id="search-filter-form-32372" autocomplete="off"
  data-instance-count="1">
  <ul>
    <li class="sf-field-search" data-sf-field-name="search" data-sf-field-type="search" data-sf-field-input-type=""> <label><span class="screen-reader-text">search</span><input placeholder="" name="_sf_search[]" class="sf-input-text _ar_hide_"
          type="text" value="" title="search" _ar_hide_="width:24px;height:46px;margin:0px;position:static;display:inline-block;"></label> </li>
    <li class="sf-field-submit" data-sf-field-name="submit" data-sf-field-type="submit" data-sf-field-input-type=""><input type="submit" name="_sf_submit" value="Search"></li>
  </ul>
</form>

POST /search

<form data-sf-form-id="32372" data-is-rtl="0" data-maintain-state="" data-results-url="/search" data-ajax-form-url="https://www.docker.com/?sfid=32372&amp;sf_action=get_data&amp;sf_data=form" data-display-result-method="shortcode"
  data-use-history-api="1" data-template-loaded="0" data-lang-code="en" data-ajax="0" data-init-paged="1" data-auto-update="" action="/search" method="post" class="searchandfilter" id="search-filter-form-32372" autocomplete="off"
  data-instance-count="1">
  <ul>
    <li class="sf-field-search" data-sf-field-name="search" data-sf-field-type="search" data-sf-field-input-type=""> <label><span class="screen-reader-text">search</span><input placeholder="" name="_sf_search[]" class="sf-input-text _ar_hide_"
          type="text" value="" title="search" _ar_hide_="width:100%;height:46px;margin:0px;position:static;display:inline-block;"></label> </li>
    <li class="sf-field-submit" data-sf-field-name="submit" data-sf-field-type="submit" data-sf-field-input-type=""><input type="submit" name="_sf_submit" value="Search"></li>
  </ul>
</form>

Text Content

Docs Get support Contact sales
 * 
 * Products
   
   
   Products
   
   * Docker DesktopContainerize your applications
   * Docker HubDiscover and share container images
   * Docker ScoutSimplify the software supply chain
   * Docker Build CloudSpeed up your image builds
   * Testcontainers Desktop Local testing with real dependencies
   * Testcontainers Cloud Test without limits in the cloud
   * See our product roadmap
   
   MORE resources for developers
   
   Docker Desktop v4.32
   
   Find out what’s new to Docker Desktop in the latest release
   Read more
 * Developers
   
   
   Developers
   
   * Documentation Find guides for Docker products
   * Getting StartedLearn the Docker basics
   * ResourcesSearch a library of helpful materials
   * TrainingSkill up your Docker knowledge
   * Extensions SDKCreate and share your own extensions
   * CommunityConnect with other Docker developers
   * Open SourceExplore open source projects
   * Preview ProgramHelp shape the future of Docker
   * Customer StoriesGet inspired with customer stories
   * Get the latest Docker news
   
   MORE resources for developers
   
   2024 State Of Application Development Report
   
   A deep-focus snapshot of the evolving software development world
   Read more
   
   Case Study: CDS
   
   How CDS embraced cloud native development with Docker
   Read more
 * Pricing
 * Support
 * Blog
 * Company
   
   
   Company
   
   * About UsLet us introduce ourselves
   * What is a Container?Learn about containerization
   * Why DockerDiscover what makes us different
   * TrustFind our customer trust resources
   * PartnersBecome a Docker partner
   * Customer SuccessLearn how you can succeed with Docker
   * EventsAttend live and virtual meet ups
   * Docker Store Gear up with exclusive SWAG
   * CareersApply to join our team
   * Contact UsWe’d love to hear from you
   
   Company
   
   Docker Announces SOC 2 Type 2 Attestation & ISO 27001 Certification
   
   Learn what this means for Docker security and compliance
   Read more
 * Get started
 * Docs
 * Get support
 * Contact sales
 *  * search
    * 
   
   Sign In Get started
 * 


    * search
    * 

 * Products
   
   
   Products
   
   * Docker DesktopContainerize your applications
   * Docker HubDiscover and share container images
   * Docker ScoutSimplify the software supply chain
   * Docker Build CloudSpeed up your image builds
   * Testcontainers Desktop Local testing with real dependencies
   * Testcontainers Cloud Test without limits in the cloud
   * See our product roadmap
   
   MORE resources for developers
   
   Docker Desktop v4.32
   
   Find out what’s new to Docker Desktop in the latest release
   Read more
 * Developers
   
   
   Developers
   
   * Documentation Find guides for Docker products
   * Getting StartedLearn the Docker basics
   * ResourcesSearch a library of helpful materials
   * TrainingSkill up your Docker knowledge
   * Extensions SDKCreate and share your own extensions
   * CommunityConnect with other Docker developers
   * Open SourceExplore open source projects
   * Preview ProgramHelp shape the future of Docker
   * Customer StoriesGet inspired with customer stories
   * Get the latest Docker news
   
   MORE resources for developers
   
   2024 State Of Application Development Report
   
   A deep-focus snapshot of the evolving software development world
   Read more
   
   Case Study: CDS
   
   How CDS embraced cloud native development with Docker
   Read more
 * Pricing
 * Support
 * Blog
 * Company
   
   
   Company
   
   * About UsLet us introduce ourselves
   * What is a Container?Learn about containerization
   * Why DockerDiscover what makes us different
   * TrustFind our customer trust resources
   * PartnersBecome a Docker partner
   * Customer SuccessLearn how you can succeed with Docker
   * EventsAttend live and virtual meet ups
   * Docker Store Gear up with exclusive SWAG
   * CareersApply to join our team
   * Contact UsWe’d love to hear from you
   
   Company
   
   Docker Announces SOC 2 Type 2 Attestation & ISO 27001 Certification
   
   Learn what this means for Docker security and compliance
   Read more
 * Get started
 * Docs
 * Get support
 * Contact sales
 * Sign In Get started


DOCKER SECURITY ADVISORY: AUTHZ PLUGIN BYPASS REGRESSION IN DOCKER ENGINE

Gabriela Georgieva


Certain versions of Docker Engine have a security vulnerability that could allow
an attacker to bypass authorization plugins (AuthZ) under specific
circumstances. The base likelihood of this being exploited is low. This advisory
outlines the issue, identifies the affected versions, and provides remediation
steps for impacted users.


PROBLEM

Docker’s default authorization model is all-or-nothing. Users with access to the
Docker daemon can execute any Docker command. For greater access control,
authorization plugins (AuthZ) can be used. These plugins approve or deny
requests to the Docker daemon based on authentication and command context.

In 2018, a security issue was discovered where an attacker could bypass AuthZ
plugins using a specially crafted API request. This could lead to unauthorized
actions, including privilege escalation. Although this issue was fixed in Docker
Engine v18.09.1 in January 2019, the fix was not carried forward to later
versions, resulting in a regression.


VULNERABILITY DETAILS

 * AuthZ bypass and privilege escalation: An attacker could exploit a bypass
   using an API request with Content-Length set to 0, causing the Docker daemon
   to forward the request without the body to the AuthZ plugin, which might
   approve the request incorrectly if not set to deny by default.
 * Initial fix: The issue was fixed in Docker Engine v18.09.1 January 2019.
 * Regression: The fix was not included in Docker Engine v19.03 or newer
   versions. This was identified in April 2024 and patches were released for the
   affected versions on July 23, 2024. The issue was assigned CVE-2024-41110.


AFFECTED VERSIONS

Affected versionsPatched versions<= v19.03.15, <= v20.10.27, <= v23.0.14, <=
v24.0.9, <= v25.0.5, <= v26.0.2, <= v26.1.4, <= v27.0.3, <= v27.1.0> v23.0.14,
>26.1.4, > v27.1.0


WHO IS IMPACTED?

 * Users of Docker Engine v19.03.x and later versions who rely on authorization
   plugins to make access control decisions.


WHO IS NOT IMPACTED?

 * Users of Docker Engine v19.03.x and later versions who do not rely on
   authorization plugins to make access control decisions and users of all
   versions of Mirantis Container Runtime are not vulnerable.
 * Users of Docker commercial products and internal infrastructure who do not
   rely on AuthZ plugins are unaffected.


IMPACT ON DOCKER DESKTOP

 * Docker Desktop up to v4.32.0 includes affected versions of Docker Engine.
 * The impact for Docker Desktop is limited compared to production environments.
   * Exploitation requires access to the Docker API, which usually means the
     attacker needs to already have local access to the host machine, unless the
     Docker daemon is insecurely exposed over TCP.
   * Default Docker Desktop configuration does not include AuthZ plugins.
   * Privilege escalation is limited to the Docker Desktop VM, not the
     underlying host.
 * A patched version of Docker Engine will be included in Docker Desktop v4.33.


REMEDIATION STEPS

 1. Update Docker Engine:

 * If you are running an affected version, update to the most recent patched
   version.

 2. Mitigation if unable to update immediately:

 * Avoid using AuthZ plugins.
 * Restrict access to the Docker API to trusted parties, following the principle
   of least privilege.

 3. Update Docker Desktop:

 * If using an affected version, update to Docker Desktop 4.33 after it is
   released.
 * Ensure AuthZ plugins are not used and do not expose the Docker API over TCP
   without protection.
 * Docker Business subscribers can use Settings Management to enforce secure
   settings.


LEARN MORE

 * See the GitHub security advisory.
 * Authenticate and update to receive your subscription level’s newest Docker
   Desktop features.
 * New to Docker? Create an account.
 * Subscribe to the Docker Newsletter.

Docker Desktop, Docker engine, security

3 WAYS CARIAD CONFIGURES DOCKER BUSINESS FOR SECURITY AND COMPLIANCE

By Briana Swift July 25, 2024

EMPOWERING DEVELOPERS WITH DOCKER: SIMPLIFYING COMPLIANCE AND ENHANCING SECURITY
FOR SOC 2, ISO 27001, FEDRAMP, AND MORE

By Rachel Taylor July 24, 2024

LOCAL LLM MESSENGER: CHAT WITH GENAI ON YOUR IPHONE

By Ajeet Singh Raina July 23, 2024

POSTED

Jul 23, 2024

 * 
 * 
 * 

POST TAGS

Docker DesktopDocker enginesecurity

CATEGORIES

 * Community
 * Company
 * Engineering
 * Products

 * Products
   * Docker Desktop
   * Docker Hub
   * Docker Scout
   * Docker Build Cloud
   * Features
   * Command Line Interface
   * IDE Extensions
   * Container Runtime
   * Docker Extensions
   * Trusted Open Source Content
   * Secure Software Supply Chain
   * Product Roadmap
 * Developers
   * Documentation
   * Getting Started
   * Trainings
   * Extensions SDK
   * Community
   * Open Source
   * Preview Program
 * Pricing
   * Personal
   * Pro
   * Team
   * Business
   * Pricing FAQ
   * Contact Sales
 * Support
   * Docker System Status
 * Blog
   * Newsletter
 * Company
   * About Us
   * What is a Container
   * Why Docker
   * Trust
   * Customer Success
   * Partners
   * Events
   * Newsroom
   * Swag Store
   * Brand Guidelines
   * Trademark Guidelines
   * Careers
   * Contact Us
   * Languages
     * English
     * 日本語

 * 
 * 
 * 
 * 
 * 
 * 

© 2024 Docker Inc. All rights reserved|Terms of Service|Privacy|Legal

Do Not Sell My Personal Information

This website uses cookies to enhance user experience and to analyze performance
and traffic on our website. We also share information about your use of our site
with our social media, advertising and analytics partners.
Do Not Sell My Personal Information Accept Cookies



DO NOT SELL MY PERSONAL INFORMATION

When you visit our website, we store cookies on your browser to collect
information. The information collected might relate to you, your preferences or
your device, and is mostly used to make the site work as you expect it to and to
provide a more personalized web experience. However, you can choose not to allow
certain types of cookies, which may impact your experience of the site and the
services we are able to offer. Click on the different category headings to find
out more and change our default settings according to your preference. You
cannot opt-out of our First Party Strictly Necessary Cookies as they are
deployed in order to ensure the proper functioning of our website (such as
prompting the cookie banner and remembering your settings, to log into your
account, to redirect you when you log out, etc.). For more information about the
First and Third Party Cookies used please follow this link.
More information
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.

SALE OF PERSONAL DATA

Sale of Personal Data

Under the California Consumer Privacy Act, you have the right to opt-out of the
sale of your personal information to third parties. These cookies collect
information for analytics and to personalize your experience with targeted ads.
You may exercise your right to opt out of the sale of personal information by
using this toggle switch. If you opt out we will not be able to offer you
personalised ads and will not hand over your personal information to any third
parties. Additionally, you may contact our legal department for further
clarification about your rights as a California consumer by using this Exercise
My Rights link.

If you have enabled privacy controls on your browser (such as a plugin), we have
to take that as a valid request to opt-out. Therefore we would not be able to
track your activity through the web. This may affect our ability to personalize
ads according to your preferences.

 * PERFORMANCE COOKIES
   
   Switch Label label
   
   These cookies allow us to count visits and traffic sources so we can measure
   and improve the performance of our site. They help us to know which pages are
   the most and least popular and see how visitors move around the site. All
   information these cookies collect is aggregated and therefore anonymous. If
   you do not allow these cookies we will not know when you have visited our
   site, and will not be able to monitor its performance.

 * TARGETING COOKIES
   
   Switch Label label
   
   These cookies may be set through our site by our advertising partners. They
   may be used by those companies to build a profile of your interests and show
   you relevant adverts on other sites. They do not store directly personal
   information, but are based on uniquely identifying your browser and internet
   device. If you do not allow these cookies, you will experience less targeted
   advertising.

Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Confirm My Choices