Update module github.com/docker/docker to v24.0.9+incompatible [SECURITY] - autoclosed #55
+3
−1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
🦙 MegaLinter status: ❌ ERROR
See detailed report in MegaLinter reports MegaLinter is graciously provided by |
renovate
bot
changed the title
renovate
bot
deleted the
renovate/go-github.com/docker/docker-vulnerability
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v24.0.5+incompatible->v24.0.9+incompatibleGitHub Vulnerability Alerts
GHSA-jq35-85cj-fj4p
Intel's RAPL (Running Average Power Limit) feature, introduced by the Sandy Bridge microarchitecture, provides software insights into hardware energy consumption. To facilitate this, Intel introduced the powercap framework in Linux kernel 3.13, which reads values via relevant MSRs (model specific registers) and provides unprivileged userspace access via
sysfs. As RAPL is an interface to access a hardware feature, it is only available when running on bare metal with the module compiled into the kernel.By 2019, it was realized that in some cases unprivileged access to RAPL readings could be exploited as a power-based side-channel against security features including AES-NI (potentially inside a SGX enclave) and KASLR (kernel address space layout randomization). Also known as the PLATYPUS attack, Intel assigned CVE-2020-8694 and CVE-2020-8695, and AMD assigned CVE-2020-12912.
Several mitigations were applied; Intel reduced the sampling resolution via a microcode update, and the Linux kernel prevents access by non-root users since 5.10. However, this kernel-based mitigation does not apply to many container-based scenarios:
sysfsis mounted inside containers read-only; however only read access is needed to carry out this attack on an unpatched CPUWhile this is not a direct vulnerability in container runtimes, defense in depth and safe defaults are valuable and preferred, especially as this poses a risk to multi-tenant container environments running directly on affected hardware. This is provided by masking
/sys/devices/virtual/powercapin the default mount configuration, and adding an additional set of rules to deny it in the default AppArmor profile.While
sysfsis not the only way to read from the RAPL subsystem, other ways of accessing it require additional capabilities such asCAP_SYS_RAWIOwhich is not available to containers by default, orperfparanoia level less than 1, which is a non-default kernel tunable.References
CVE-2024-24557
The classic builder cache system is prone to cache poisoning if the image is built
FROM scratch.Also, changes to some instructions (most important being
HEALTHCHECKandONBUILD) would not cause a cache miss.An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps.
For example, an attacker could create an image that is considered as a valid cache candidate for:
when in fact the malicious image used as a cache would be an image built from a different Dockerfile.
In the second case, the attacker could for example substitute a different
HEALTCHECKcommand.Impact
23.0+ users are only affected if they explicitly opted out of Buildkit (
DOCKER_BUILDKIT=0environment variable) or are using the/buildAPI endpoint (which uses the classic builder by default).All users on versions older than 23.0 could be impacted. An example could be a CI with a shared cache, or just a regular Docker user pulling a malicious image due to misspelling/typosquatting.
Image build API endpoint (
/build) andImageBuildfunction fromgithub.com/docker/docker/clientis also affected as it the uses classic builder by default.Patches
Patches are included in Moby releases:
Workarounds
--no-cacheor use Buildkit if possible (DOCKER_BUILDKIT=1, it's default on 23.0+ assuming that the buildx plugin is installed).Version = types.BuilderBuildKitorNoCache = trueinImageBuildOptionsforImageBuildcall.Release Notes
docker/docker (github.com/docker/docker)
v24.0.9+incompatibleCompare Source
v24.0.8+incompatibleCompare Source
v24.0.7+incompatibleCompare Source
v24.0.6+incompatibleCompare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.