Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go, pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. References: https://github.com/docker/engine/pull/70 https://github.com/moby/moby/pull/37967
Created docker tracking bugs for this issue: Affects: epel-6 [bug 1666568] Affects: fedora-all [bug 1666566] Created docker:2017.0/docker tracking bugs for this issue: Affects: fedora-all [bug 1666567]
Fixed via https://github.com/projectatomic/docker/commit/11e17d3b79bc450a52d5e1dd1c1444f7ebe5f751
Function isCpusetListAvailable() in pkg/sysinfo/sysinfo.go uses pkg/parsers/parsers.go:ParseUintList() function to parse the value passed through the --cpuset-mems docker option. ParseUintList() returns a map with each element in the list mapped to true/false. When the list is too big, the daemon tries to allocate such map, using all available memory and causing a crash.
Even though, in general, a user needs to be root or have high privilege to run docker commands, it was considered anyway a security issue as there are docker plugins to enable authentication and allow users to perform a subset of the APIs dockerd provides. This would allow a non-privileged user to crash the dockerd daemon itself.
Statement: This issue affects the versions of docker as shipped with Red Hat Enterprise Linux 7, however if docker is accessible only by root or highly privileged users, as it is by default, a low-privileged attacker will not be able to trigger the flaw.
Decreasing Impact to Low because normally Docker is accessible only by root or by high-privileges users.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2019:0487 https://access.redhat.com/errata/RHSA-2019:0487