This article originally appeared at The WHIR
The latest release of Docker patches two critical security vulnerabilities that could allow an attacker to escalate their privileges and execute remote code on an affected system.
Docker is a popular open-source applications packaging technology that allows applications to run in different environments.
The Department of Homeland Security’s computer security division US-CERT and other security authorities have been strongly urging systems administrators to update their Docker installations.
According to a security update from Eric Windisch, one of Docker’s top security personnel, Docker versions up to and including 1.3.1 have a flaw that could make it possible to extract files to arbitrary paths on the host during “docker pull” and “docker load” operations. He noted that this was due to “symlink and hardlink traversals present in Docker’s image extraction.”
Previous versions of Docker (1.3.0 to 1.3.1) allowed security options to be applied to images, and this could change the default run profile of the containers executing the images to give the user more permissions.
Docker 1.3.2, released Monday, patches this vulnerability with image extraction performed in a chroot, ensuring that users cannot access files outside a designated directory tree to which they have access.
Last week, Microsoft issued a patch for a permissions vulnerability in Windows Server that could allow a user with basic privileges to act as though they were an administrator.
Docker is becoming a major part of many online services. Amazon launched Docker support earlier this month, and Microsoft is aiming to include Docker’s containerized application technology in the next release of Windows Server. This means that the relatively young Docker project, whose first release was in March 2013, needs to quickly mature to meet the hefty demands of these businesses.
This article originally appeared at: http://www.thewhir.com/web-hosting-news/unlimited-cloud-storage-nearly-drove-bitcasa-bankruptcy