Docker 1.12.6 Security with Twistlock
A new version of Docker (Docker 1.12.6) addresses a security issue that can allow processes running in containers to gain access to the host machine.
Docker allows additional processes to be launched within the context of existing containers using `docker exec`, which in turn uses the underlying `runC exec`. The vulnerability allows an existing containerized process to access open file descriptors in the new process as it is being initialized to run in the existing container. In other words, the containerized process can access the host file system and other resources that are not intended to be accessible.
Protection with Twistlock
Twistlock helps protect your container infrastructure from this vulnerability and similar ones in a few ways:
- Compliance / Policy enforcement. It is only possible to exploit this vulnerability if the containerized process is running as root. Twistlock will alert and prevent containers from running this way. Here’s a screen snip of one of our compliance rules configured to prevent containers from running as root, followed by a screenshot of the message a user will see if they attempt to violate the rule:
- Ongoing host vulnerability scanning. Twistlock continuously scans the host for newly disclosed vulnerabilities and security issues, in addition to scanning the containers themselves. In this case, we can detect that the Docker version on the host in the screenshot below is vulnerable to this CVE, by comparing the reported version and build details with vulnerability data from our Intelligence Stream:
Users are advised to upgrade existing installations of the Docker Engine and use 1.12.6 for
- Learn about what happened prior to the release of Docker 1.12 and how Twistlock is innovating their product to match the release.
- Find out how to set up and add the Twistlock Custom Build Step to the vulnerability scanning.
- Twistlock created a Docker AuthZ plugin – allows access control of Docker plugins
- Check out the other articles about Docker Security.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Container Compliance: HIPAA, PCI, NIST & GDPR = Oh My! | 2.3 Deep Dive
At Twistlock, we work with large enterprises to startups around the wo...
Serverless Security: 2.3 Deep Dive
It wasn’t long ago that only the most leading-edge technology compan...
Blocking Malicious Behavior and Exploits in Containers with Twistlock
At Twistlock Labs, we continuously try to get into the minds of attack...
Twistlock Per-Layer Vulnerability Analysis: 2.3 Deep Dive
In today’s blog we take a deep dive into a new capability in Twistlo...
Twistlock 2018 Predictions: Security as a Primary Focus
This post originally appeared on vmblog.com From political scandals, t...