Bug 1168436 - (CVE-2014-5282) CVE-2014-5282 docker: tagging image to ID can redirect images on subsequent pulls
CVE-2014-5282 docker: tagging image to ID can redirect images on subsequent p...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 1168437
  Show dependency treegraph
Reported: 2014-11-26 17:58 EST by Vincent Danen
Modified: 2015-07-31 03:30 EDT (History)
5 users (show)

See Also:
Fixed In Version: docker 1.3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-01-18 20:55:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2014-11-26 17:58:02 EST
From the upstream report [1]:

[CVE-2014-5282] Tagging image to ID can redirect images on subsequent pulls

Importance: Medium
Affects: Docker 1.2 and lower

It has been discovered that users of the Docker Remote API and CLI could cause one image repository, upon pull, to redirect to the content of another image. This is vulnerability affects all versions of Docker up to, but excluding version 1.3.

The primary vector for an attack is by loading of untrusted images via ‘docker load’. Images downloaded from DockerHub or private registries cannot exploit this vulnerability.

It is recommended that users upgrade to Docker engine 1.3.

Users of older releases of docker are advised not to load untrusted images via ‘docker load’. Vendors supporting older releases of Docker should assure they do not allow untrusted tenants to provide images for import with ‘docker load’, or tag images to arbitrary names equal to 64-characters containing characters within the range of [0-9a-f].

Discovered by Eric Windisch of Docker, Inc.

[1] https://groups.google.com/forum/#!msg/docker-announce/aQoVmQlcE0A/smPuBNYf8VwJ

Note You need to log in before you can comment on or make changes to this bug.