Docker 1.12.6 Security with Twistlock
A new version of Docker (Docker 1.12.6) addresses a security issue that can allow processes running in containers to gain access to the host machine.
Docker allows additional processes to be launched within the context of existing containers using `docker exec`, which in turn uses the underlying `runC exec`. The vulnerability allows an existing containerized process to access open file descriptors in the new process as it is being initialized to run in the existing container. In other words, the containerized process can access the host file system and other resources that are not intended to be accessible.
Protection with Twistlock
Twistlock helps protect your container infrastructure from this vulnerability and similar ones in a few ways:
- Compliance / Policy enforcement. It is only possible to exploit this vulnerability if the containerized process is running as root. Twistlock will alert and prevent containers from running this way. Here’s a screen snip of one of our compliance rules configured to prevent containers from running as root, followed by a screenshot of the message a user will see if they attempt to violate the rule:
- Ongoing host vulnerability scanning. Twistlock continuously scans the host for newly disclosed vulnerabilities and security issues, in addition to scanning the containers themselves. In this case, we can detect that the Docker version on the host in the screenshot below is vulnerable to this CVE, by comparing the reported version and build details with vulnerability data from our Intelligence Stream:
Users are advised to upgrade existing installations of the Docker Engine and use 1.12.6 for
- Learn about what happened prior to the release of Docker 1.12 and how Twistlock is innovating their product to match the release.
- Find out how to set up and add the Twistlock Custom Build Step to the vulnerability scanning.
- Twistlock created a Docker AuthZ plugin – allows access control of Docker plugins
- Check out the other articles about Docker Security.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.