github.com/brahmaroutu/docker@v1.2.1-0.20160809185609-eb28dde01f16/docs/security/non-events.md (about) 1 <!--[metadata]> 2 +++ 3 title = "Docker Security Non-events" 4 description = "Review of security vulnerabilities Docker mitigated" 5 keywords = ["Docker, Docker documentation, security, security non-events"] 6 [menu.main] 7 parent = "smn_secure_docker" 8 +++ 9 <![end-metadata]--> 10 11 # Docker Security Non-events 12 13 This page lists security vulnerabilities which Docker mitigated, such that 14 processes run in Docker containers were never vulnerable to the bug—even before 15 it was fixed. This assumes containers are run without adding extra capabilities 16 or not run as `--privileged`. 17 18 The list below is not even remotely complete. Rather, it is a sample of the few 19 bugs we've actually noticed to have attracted security review and publicly 20 disclosed vulnerabilities. In all likelihood, the bugs that haven't been 21 reported far outnumber those that have. Luckily, since Docker's approach to 22 secure by default through apparmor, seccomp, and dropping capabilities, it 23 likely mitigates unknown bugs just as well as it does known ones. 24 25 Bugs mitigated: 26 27 * [CVE-2013-1956](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1956), 28 [1957](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1957), 29 [1958](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1958), 30 [1959](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1959), 31 [1979](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1979), 32 [CVE-2014-4014](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4014), 33 [5206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5206), 34 [5207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5207), 35 [7970](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7970), 36 [7975](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7975), 37 [CVE-2015-2925](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2925), 38 [8543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8543), 39 [CVE-2016-3134](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3134), 40 [3135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3135), etc.: 41 The introduction of unprivileged user namespaces lead to a huge increase in the 42 attack surface available to unprivileged users by giving such users legitimate 43 access to previously root-only system calls like `mount()`. All of these CVEs 44 are examples of security vulnerabilities due to introduction of user namespaces. 45 Docker can use user namespaces to set up containers, but then disallows the 46 process inside the container from creating its own nested namespaces through the 47 default seccomp profile, rendering these vulnerabilities unexploitable. 48 * [CVE-2014-0181](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0181), 49 [CVE-2015-3339](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3339): 50 These are bugs that require the presence of a setuid binary. Docker disables 51 setuid binaries inside containers via the `NO_NEW_PRIVS` process flag and 52 other mechanisms. 53 * [CVE-2014-4699](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4699): 54 A bug in `ptrace()` could allow privilege escalation. Docker disables `ptrace()` 55 inside the container using apparmor, seccomp and by dropping `CAP_PTRACE`. 56 Three times the layers of protection there! 57 * [CVE-2014-9529](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9529): 58 A series of crafted `keyctl()` calls could cause kernel DoS / memory corruption. 59 Docker disables `keyctl()` inside containers using seccomp. 60 * [CVE-2015-3214](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3214), 61 [4036](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4036): These are 62 bugs in common virtualization drivers which could allow a guest OS user to 63 execute code on the host OS. Exploiting them requires access to virtualization 64 devices in the guest. Docker hides direct access to these devices when run 65 without `--privileged`. Interestingly, these seem to be cases where containers 66 are "more secure" than a VM, going against common wisdom that VMs are 67 "more secure" than containers. 68 * [CVE-2016-0728](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0728): 69 Use-after-free caused by crafted `keyctl()` calls could lead to privilege 70 escalation. Docker disables `keyctl()` inside containers using the default 71 seccomp profile. 72 * [CVE-2016-2383](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2383): 73 A bug in eBPF -- the special in-kernel DSL used to express things like seccomp 74 filters -- allowed arbitrary reads of kernel memory. The `bpf()` system call 75 is blocked inside Docker containers using (ironically) seccomp. 76 * [CVE-2016-3134](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3134), 77 [4997](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4997), 78 [4998](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4998): 79 A bug in setsockopt with `IPT_SO_SET_REPLACE`, `ARPT_SO_SET_REPLACE`, and 80 `ARPT_SO_SET_REPLACE` causing memory corruption / local privilege escalation. 81 These arguments are blocked by `CAP_NET_ADMIN`, which Docker does not allow by 82 default. 83 84 85 Bugs *not* mitigated: 86 87 * [CVE-2015-3290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3290), 88 [5157](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5157): Bugs in 89 the kernel's non-maskable interrupt handling allowed privilege escalation. 90 Can be exploited in Docker containers because the `modify_ldt()` system call is 91 not currently blocked using seccomp.