Bug 1168436 (CVE-2014-5282) - CVE-2014-5282 docker: tagging image to ID can redirect images on subsequent pulls
Summary: CVE-2014-5282 docker: tagging image to ID can redirect images on subsequent p...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2014-5282
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20141016,reported=2...
Depends On:
Blocks: 1168437
TreeView+ depends on / blocked
 
Reported: 2014-11-26 22:58 UTC by Vincent Danen
Modified: 2019-06-08 20:17 UTC (History)
5 users (show)

Fixed In Version: docker 1.3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-19 01:55:16 UTC


Attachments (Terms of Use)

Description Vincent Danen 2014-11-26 22:58:02 UTC
From the upstream report [1]:

================================================================
[CVE-2014-5282] Tagging image to ID can redirect images on subsequent pulls
==============================================================

Importance: Medium
Affects: Docker 1.2 and lower
Description:

It has been discovered that users of the Docker Remote API and CLI could cause one image repository, upon pull, to redirect to the content of another image. This is vulnerability affects all versions of Docker up to, but excluding version 1.3.

The primary vector for an attack is by loading of untrusted images via ‘docker load’. Images downloaded from DockerHub or private registries cannot exploit this vulnerability.

It is recommended that users upgrade to Docker engine 1.3.

Users of older releases of docker are advised not to load untrusted images via ‘docker load’. Vendors supporting older releases of Docker should assure they do not allow untrusted tenants to provide images for import with ‘docker load’, or tag images to arbitrary names equal to 64-characters containing characters within the range of [0-9a-f].

Discovered by Eric Windisch of Docker, Inc.

[1] https://groups.google.com/forum/#!msg/docker-announce/aQoVmQlcE0A/smPuBNYf8VwJ


Note You need to log in before you can comment on or make changes to this bug.