Docker 1.12.6 Security with Twistlock
A new version of Docker (Docker 1.12.6) addresses a security issue that can allow processes running in containers to gain access to the host machine.
Docker allows additional processes to be launched within the context of existing containers using `docker exec`, which in turn uses the underlying `runC exec`. The vulnerability allows an existing containerized process to access open file descriptors in the new process as it is being initialized to run in the existing container. In other words, the containerized process can access the host file system and other resources that are not intended to be accessible.
Protection with Twistlock
Twistlock helps protect your container infrastructure from this vulnerability and similar ones in a few ways:
- Compliance / Policy enforcement. It is only possible to exploit this vulnerability if the containerized process is running as root. Twistlock will alert and prevent containers from running this way. Here’s a screen snip of one of our compliance rules configured to prevent containers from running as root, followed by a screenshot of the message a user will see if they attempt to violate the rule:
- Ongoing host vulnerability scanning. Twistlock continuously scans the host for newly disclosed vulnerabilities and security issues, in addition to scanning the containers themselves. In this case, we can detect that the Docker version on the host in the screenshot below is vulnerable to this CVE, by comparing the reported version and build details with vulnerability data from our Intelligence Stream:
Users are advised to upgrade existing installations of the Docker Engine and use 1.12.6 for
- Learn about what happened prior to the release of Docker 1.12 and how Twistlock is innovating their product to match the release.
- Find out how to set up and add the Twistlock Custom Build Step to the vulnerability scanning.
- Twistlock created a Docker AuthZ plugin – allows access control of Docker plugins
- Check out the other articles about Docker Security.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Multiple Registry Scanners: 2.4 Deep Dive
At Twistlock, we’ve watched our customers implement security through...
The Challenges of Securing and Protecting Containers During Runtime
Containers deliver many advantages over virtual machines, but they als...
Infinite Scale and Multitenancy with Projects: 2.4 Deep Dive
At Twistlock, we’re working with enterprises across almost every ind...
Twistlock 2.4 Release Notes
Announcing Twistlock 2.4 We just signed off on Twistlock 2.4, the 13th...
5 Ways to Solve for Enterprise Cloud Security Challenges and Risks
Infrastructure as a Service (IaaS) clouds present a somewhat unique se...