docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add Engine v19.03.11 release notes (#10940) 

* Add Engine v19.03.11 release notes

* Add detailed info
This commit is contained in:
Usha Mandya 2020-06-02 14:36:46 +01:00 committed by GitHub
parent 3abbecd92d
commit 18f02bed7c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
engine/release-notes/index.md
View File

@ -22,6 +22,30 @@ for Docker Engine.
# Version 19.03
## 19.03.11
2020-06-01
### Network
Disable IPv6 Router Advertisements to prevent address spoofing. [CVE-2020-13401](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13401)
**Description**
In the Docker default configuration, the container network interface is a virtual ethernet link going to the host (veth interface).
In this configuration, an attacker able to run a process as root in a container can send and receive arbitrary packets to the host using the `CAP_NET_RAW` capability (present in the default configuration).
If IPv6 is not totally disabled on the host (via `ipv6.disable=1` on the kernel cmdline), it will be either unconfigured or configured on some interfaces, but its pretty likely that ipv6 forwarding is disabled, that is, `/proc/sys/net/ipv6/conf//forwarding == 0`. Also by default, `/proc/sys/net/ipv6/conf//accept_ra == 1`. The combination of these 2 sysctls means that the host accepts router advertisements and configures the IPv6 stack using them.
By sending “rogue” router advertisements from a container, an attacker can reconfigure the host to redirect part or all of the IPv6 traffic of the host to the attacker-controlled container.
Even if there was no IPv6 traffic before, if the DNS returns A (IPv4) and AAAA (IPv6) records, many HTTP libraries will try to connect via IPv6 first then fallback to IPv4, giving an opportunity to the attacker to respond.
If by chance the host has a vulnerability like last years RCE in apt (CVE-2019-3462), the attacker can now escalate to the host.
As `CAP_NET_ADMIN` is not present by default for Docker containers, the attacker cant configure the IPs they want to MitM, they cant use iptables to NAT or REDIRECT the traffic, and they cant use `IP_TRANSPARENT`.
The attacker can however still use `CAP_NET_RAW` and implement a tcp/ip stack in user space.
See [kubernetes/kubernetes#91507](https://github.com/kubernetes/kubernetes/issues/91507) for related issues.
## 19.03.10
2020-05-29