- Red Hat Enterprise Linux (RHEL)
A proof-of-concept exploit was recently published that allows an application running in a docker container to break out of the container's constraints, and access any file on the host filesystem. Docker upstream has released a statement.
Only docker upstream 0.11.x releases were vulnerable to this issue. Docker as shipped with Red Hat Enterprise Linux 7 is not affected.
The root user's special permissions are divided into individual powers called capabilities. This vulnerability was caused by a particularly wide range of capabilities being granted to containers by default. The Red Hat Enterprise Linux 7 docker package was early to incorporate a more stringent capabilities policy. In addition to this more restrictive policy, the impact of special capabilities on the host system can be limited by SELinux. Red Hat Product Security advises customers to always run containers with SELinux enabled, in order to mitigate other potential container breakout flaws, and to limit the impact of poorly configured containers.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.