News from Docker, the vendor behind the eponymous Docker containerization initiative, that a discovery has been made of a critical flaw in some versions of the software. From the notification:
The Docker engine, up to and including version 1.3.1, was vulnerable to extracting files to arbitrary paths on the host during ‘docker pull’ and‘docker load’ operations.
The vulnerability, discovered by Florian Weimer of
Docker had a previous security issue back in June and that vulnerability was also quickly patched.
There is, however, no remediation available for older versions of Docker with this previous bug, a cautionary tale for organizations experimenting with early stage projects. While it is in no way an indictment of the Docker project, it does show that early-stage projects are just that – early and still a little rough around the edged.
This is a particularly important issue given the massive momentum that Docker has – while it means more attention from security professionals and hence the early identification of issues, the widespread use of Docker also increases the potential threat from vulnerabilities.
