Docker, the popular platform for containerized applications, has issued a critical security advisory concerning a vulnerability in its Docker Engine. The flaw, identified as CVE-2024-41110, could potentially allow attackers to bypass authorization plugins (AuthZ) under specific circumstances, leading to unauthorized actions and possible privilege escalation.
The vulnerability affects multiple versions of Docker Engine, including v19.03.x and later versions, particularly impacting users who rely on authorization plugins for access control decisions. The issue stems from a regression of a previously fixed security problem from 2018, where the original fix was not carried forward to newer versions.
According to Gabriela Georgieva, who detailed the advisory, an attacker could exploit this vulnerability by using an API request with Content-Length set to 0. This could cause the Docker daemon to forward the request without the body to the AuthZ plugin, potentially resulting in incorrect approval if the plugin is not set to deny by default.
The vulnerability affects Docker Engine versions up to v19.03.15, v20.10.27, v23.0.14, v24.0.9, v25.0.5, v26.0.2, v26.1.4, v27.0.3, and v27.1.0. Patched versions have been released for v23.0.14, v26.1.4, and v27.1.0 and above.
Docker Desktop users are also affected, with versions up to v4.32.0 including vulnerable Docker Engine versions. However, the impact on Docker Desktop is limited compared to production environments, as exploitation requires access to the Docker API and the default configuration does not include AuthZ plugins.
To mitigate the risk, Docker strongly recommends users update to the latest patched versions of Docker Engine. For those unable to update immediately, avoiding the use of AuthZ plugins and restricting access to the Docker API to trusted parties are suggested as temporary measures.
Docker Desktop users are advised to update to version 4.33 once it becomes available. Docker Business subscribers can utilize Settings Management to enforce secure settings.
This security issue underscores the importance of regular updates and security audits in containerization technologies. Users and administrators are encouraged to stay informed about security advisories and implement recommended patches promptly to maintain the integrity and security of their Docker environments.
