Shulou(Shulou.com)06/01 Report--

This article is about how to patch the docker container. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it with the editor.

How to patch inside the docker container? The container image contains many plug-ins and software packages, which need to be scanned for vulnerabilities and patches or updates are installed according to the results. Most cloud container systems are vulnerable to potential attacks. If you are running any type of container, you need to patch it as soon as possible.

As long as the docker container runs in a local development environment, there are no security issues. Because the test environment is isolated from the external connection, it is not possible to determine whether it is complete externally. When your Docker image is deployed in a production environment, security naturally becomes a problem because of the need to handle external network access.

To prevent this problem, first, you need to make sure that the host where the Docker container is located is patched with the latest security update, and secondly, the security patch is also updated in the Docker container.

All versions of Docker are vulnerable to a race condition (race condition) that could give an attacker read and write access to any file on the host system. Proof of concept code has been released.

This vulnerability, similar to CVE-2018-15664, provides an opportunity window for hackers to modify the resource path at a point in time after the path is parsed but before the assigned program begins to operate on the resource. This is called a vulnerability of the check time / use time (TOCTOU) type.

The vulnerability is due to the FollowSymlinkInScope function, which is vulnerable to basic TOCTOU attacks. The purpose of this function is to parse the specified path in a secure way as it treats the process as it does inside the Docker container. Do not operate on the parsed path immediately, but "over a period of time". An attacker can guess this time difference and add a symbolic link (symlink) path that may eventually resolve hosts with root privileges.

This can be achieved through the "docker cp" utility, which allows content to be copied between the container and the local file system.

The above is how to patch in the docker container. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.