github.com/noxiouz/docker@v0.7.3-0.20160629055221-3d231c78e8c5/docs/security/non-events.md

github.com/noxiouz/docker@v0.7.3-0.20160629055221-3d231c78e8c5/docs/security/non-events.md (about)

     1  <!--[metadata]>
     2  +++
     3  title = "Docker Security Non-events"
     4  description = "Review of security vulnerabilities Docker mitigated"
     5  keywords = ["Docker, Docker documentation,  security, security non-events"]
     6  [menu.main]
     7  parent = "smn_secure_docker"
     8  +++
     9  <![end-metadata]-->
    10  
    11  # Docker Security Non-events
    12  
    13  This page lists security vulnerabilities which Docker mitigated, such that
    14  processes run in Docker containers were never vulnerable to the bug—even before
    15  it was fixed. This assumes containers are run without adding extra capabilities
    16  or not run as `--privileged`.
    17  
    18  The list below is not even remotely complete. Rather, it is a sample of the few
    19  bugs we've actually noticed to have attracted security review and publicly
    20  disclosed vulnerabilities. In all likelihood, the bugs that haven't been
    21  reported far outnumber those that have. Luckily, since Docker's approach to
    22  secure by default through apparmor, seccomp, and dropping capabilities, it
    23  likely mitigates unknown bugs just as well as it does known ones.
    24  
    25  Bugs mitigated:
    26  
    27  * [CVE-2013-1956](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1956),
    28  [1957](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1957),
    29  [1958](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1958),
    30  [1959](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1959),
    31  [1979](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1979),
    32  [CVE-2014-4014](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4014),
    33  [5206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5206),
    34  [5207](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5207),
    35  [7970](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7970),
    36  [7975](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7975),
    37  [CVE-2015-2925](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2925),
    38  [8543](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8543),
    39  [CVE-2016-3134](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3134),
    40  [3135](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3135), etc.:
    41  The introduction of unprivileged user namespaces lead to a huge increase in the
    42  attack surface available to unprivileged users by giving such users legitimate
    43  access to previously root-only system calls like `mount()`. All of these CVEs
    44  are examples of security vulnerabilities due to introduction of user namespaces.
    45  Docker can use user namespaces to set up containers, but then disallows the
    46  process inside the container from creating its own nested namespaces through the
    47  default seccomp profile, rendering these vulnerabilities unexploitable.
    48  * [CVE-2014-0181](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0181),
    49  [CVE-2015-3339](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3339):
    50  These are bugs that require the presence of a setuid binary. Docker disables
    51  setuid binaries inside containers via the `NO_NEW_PRIVS` process flag and
    52  other mechanisms.
    53  * [CVE-2014-4699](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4699):
    54  A bug in `ptrace()` could allow privilege escalation. Docker disables `ptrace()`
    55  inside the container using apparmor, seccomp and by dropping `CAP_PTRACE`.
    56  Three times the layers of protection there!
    57  * [CVE-2014-9529](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9529):
    58  A series of crafted `keyctl()` calls could cause kernel DoS / memory corruption.
    59  Docker disables `keyctl()` inside containers using seccomp.
    60  * [CVE-2015-3214](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3214),
    61  [4036](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4036): These are
    62  bugs in common virtualization drivers which could allow a guest OS user to
    63  execute code on the host OS. Exploiting them requires access to virtualization
    64  devices in the guest. Docker hides direct access to these devices when run
    65  without `--privileged`. Interestingly, these seem to be cases where containers
    66  are "more secure" than a VM, going against common wisdom that VMs are
    67  "more secure" than containers.
    68  * [CVE-2016-0728](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0728):
    69  Use-after-free caused by crafted `keyctl()` calls could lead to privilege
    70  escalation. Docker disables `keyctl()` inside containers using the default
    71  seccomp profile.
    72  * [CVE-2016-2383](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2383):
    73  A bug in eBPF -- the special in-kernel DSL used to express things like seccomp
    74  filters -- allowed arbitrary reads of kernel memory. The `bpf()` system call
    75  is blocked inside Docker containers using (ironically) seccomp.
    76  
    77  Bugs *not* mitigated:
    78  
    79  * [CVE-2015-3290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3290),
    80  [5157](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5157): Bugs in
    81  the kernel's non-maskable interrupt handling allowed privilege escalation.
    82  Can be exploited in Docker containers because the `modify_ldt()` system call is
    83  not currently blocked using seccomp.