Notice of Docker Resource Management Vulnerability (CVE-2021-21285)

Description

Docker is an open source application container engine. It allows you to create containers (lightweight VMs) on Linux and use configuration files for automatic installation, deployment, running, and upgrade of applications. Docker versions earlier than 19.03.15 and 20.10.3 have a resource management error that may be exploited by attackers to crash the Docker daemon (dockerd).

**Table 1** Vulnerability details
Type	CVE-ID	Severity	Discovered
Resource management flaw	CVE-2021-21285	Medium	2021-02-02

Impact

The Docker daemon does not check the image layer digest for validity when pulling an image. If a maliciously altered image is pulled, the Docker daemon could crash.

This vulnerability can occur in the following scenarios:

Manually running docker pull on a cluster node to pull a maliciously altered image
kubelet automatically pulling a maliciously altered image specified in the workload template during workload deployment

The impact of this vulnerability is as follows:

If an image is maliciously damaged, pulling it may crash the docker daemon.
If you use Huawei Cloud SWR and your images are obtained from SWR, digest verification will be performed on the image uploaded to the image repository, and the Docker daemon will not be affected.
This vulnerability does not affect the running containers.

Identification Method

For a node running on EulerOS or CentOS, run the following command to check the security package version:
```
rpm -qa |grep docker
```
For a node running on EulerOS or CentOS, if the Docker version is earlier than 18.09.0.100.51.h10.51.h3-1.h15.eulerosv2r7, the Docker package will be affected by this vulnerability.
For a node running on other OSs, such as Ubuntu, run the docker version command to view the Docker version. If the version is earlier than 19.03.15 or 20.10.3, the node will be affected by this vulnerability.

Solution

Do not use images from unknown sources. You are advised to use SoftWare Repository for Container (SWR).

Helpful Links

Go to GitHub for the upgrade patch provided by the vendor.

Parent topic: Vulnerability Notices

Previous topic: Notice of runC Vulnerability That Allows a Container Filesystem Breakout via Directory Traversal (CVE-2021-30465)

Next topic: Notice of NVIDIA GPU Driver Vulnerability (CVE-2021-1056)

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel