RHBA-2014:1977
Vulnerability from csaf_redhat
Published
2014-12-10 11:38
Modified
2024-11-22 08:45
Summary
Red Hat Bug Fix Advisory: docker bug fix and enhancement update
Notes
Topic
An updated docker package that fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 7 Extras.
Details
Docker is an open-source engine that automates the deployment of any application
as a lightweight, portable, self-sufficient container that will run virtually
anywhere.
The docker packages have been upgraded to upstream version 1.3.2, which provides
a number of bug fixes and enhancements over the previous version, the most
notable of which is the "exec" command which allows for processes to be spawned
inside a Docker container. (BZ#1167870)
Users of docker are advised to upgrade to this updated package, which fixes
these bugs and adds these enhancements. After installing the update, docker
containers must be restarted for the changes to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An updated docker package that fixes several bugs and adds various enhancements is now available for Red Hat Enterprise Linux 7 Extras.",
"title": "Topic"
},
{
"category": "general",
"text": "Docker is an open-source engine that automates the deployment of any application\nas a lightweight, portable, self-sufficient container that will run virtually\nanywhere.\n\nThe docker packages have been upgraded to upstream version 1.3.2, which provides\na number of bug fixes and enhancements over the previous version, the most\nnotable of which is the \"exec\" command which allows for processes to be spawned\ninside a Docker container. (BZ#1167870)\n\nUsers of docker are advised to upgrade to this updated package, which fixes\nthese bugs and adds these enhancements. After installing the update, docker\ncontainers must be restarted for the changes to take effect.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2014:1977",
"url": "https://access.redhat.com/errata/RHBA-2014:1977"
},
{
"category": "external",
"summary": "1167870",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1167870"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhba-2014_1977.json"
}
],
"title": "Red Hat Bug Fix Advisory: docker bug fix and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T08:45:32+00:00",
"generator": {
"date": "2024-11-22T08:45:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHBA-2014:1977",
"initial_release_date": "2014-12-10T11:38:14+00:00",
"revision_history": [
{
"date": "2014-12-10T11:38:14+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-12-15T16:33:51+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T08:45:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux 7 Extras",
"product": {
"name": "Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras_other:7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux Extras"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-0:1.3.2-4.el7.src",
"product": {
"name": "docker-0:1.3.2-4.el7.src",
"product_id": "docker-0:1.3.2-4.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker@1.3.2-4.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "docker-0:1.3.2-4.el7.x86_64",
"product": {
"name": "docker-0:1.3.2-4.el7.x86_64",
"product_id": "docker-0:1.3.2-4.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/docker@1.3.2-4.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-0:1.3.2-4.el7.src as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS:docker-0:1.3.2-4.el7.src"
},
"product_reference": "docker-0:1.3.2-4.el7.src",
"relates_to_product_reference": "7Server-EXTRAS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "docker-0:1.3.2-4.el7.x86_64 as a component of Red Hat Enterprise Linux 7 Extras",
"product_id": "7Server-EXTRAS:docker-0:1.3.2-4.el7.x86_64"
},
"product_reference": "docker-0:1.3.2-4.el7.x86_64",
"relates_to_product_reference": "7Server-EXTRAS"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Docker project"
]
}
],
"cve": "CVE-2014-6407",
"cwe": {
"id": "CWE-59",
"name": "Improper Link Resolution Before File Access (\u0027Link Following\u0027)"
},
"discovery_date": "2014-11-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1167505"
}
],
"notes": [
{
"category": "description",
"text": "Docker before 1.3.2 allows remote attackers to write to arbitrary files and execute arbitrary code via a (1) symlink or (2) hard link attack in an image archive in a (a) pull or (b) load operation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "docker: symbolic and hardlink issues leading to privilege escalation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue affects the versions of Docker as shipped with Red Hat Enterprise Linux 7. However, this flaw is not known to be exploitable under any supported scenario. A future update may address this issue.\n\nRed Hat does not support or recommend running untrusted images.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-EXTRAS:docker-0:1.3.2-4.el7.src",
"7Server-EXTRAS:docker-0:1.3.2-4.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-6407"
},
{
"category": "external",
"summary": "RHBZ#1167505",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1167505"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-6407",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-6407"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-6407",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-6407"
}
],
"release_date": "2014-11-24T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-12-10T11:38:14+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-EXTRAS:docker-0:1.3.2-4.el7.src",
"7Server-EXTRAS:docker-0:1.3.2-4.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2014:1977"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "LOCAL",
"authentication": "MULTIPLE",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"confidentialityImpact": "NONE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:L/AC:H/Au:M/C:N/I:C/A:N",
"version": "2.0"
},
"products": [
"7Server-EXTRAS:docker-0:1.3.2-4.el7.src",
"7Server-EXTRAS:docker-0:1.3.2-4.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "docker: symbolic and hardlink issues leading to privilege escalation"
},
{
"acknowledgments": [
{
"names": [
"Docker Inc."
]
}
],
"cve": "CVE-2014-9358",
"discovery_date": "2014-12-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1172787"
}
],
"notes": [
{
"category": "description",
"text": "Docker before 1.3.3 does not properly validate image IDs, which allows remote attackers to conduct path traversal attacks and spoof repositories via a crafted image in a (1) \"docker load\" operation or (2) \"registry communications.\"",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "docker: Path traversal and spoofing opportunities presented through image identifiers",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-EXTRAS:docker-0:1.3.2-4.el7.src",
"7Server-EXTRAS:docker-0:1.3.2-4.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-9358"
},
{
"category": "external",
"summary": "RHBZ#1172787",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1172787"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-9358",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-9358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-9358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-9358"
},
{
"category": "external",
"summary": "https://groups.google.com/forum/#!topic/docker-user/nFAz-B-n4Bw",
"url": "https://groups.google.com/forum/#!topic/docker-user/nFAz-B-n4Bw"
}
],
"release_date": "2014-12-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-12-10T11:38:14+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-EXTRAS:docker-0:1.3.2-4.el7.src",
"7Server-EXTRAS:docker-0:1.3.2-4.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2014:1977"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"confidentialityImpact": "NONE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:C/A:N",
"version": "2.0"
},
"products": [
"7Server-EXTRAS:docker-0:1.3.2-4.el7.src",
"7Server-EXTRAS:docker-0:1.3.2-4.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "docker: Path traversal and spoofing opportunities presented through image identifiers"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.