Notice of Docker Resource Management Vulnerability (CVE-2021-21285)
Description
Docker is an open source application container engine. It allows you to create containers (lightweight VMs) on Linux and use configuration files for automatic installation, deployment, running, and upgrade of applications. Docker versions earlier than 19.03.15 and 20.10.3 have a resource management error that may be exploited by attackers to crash the Docker daemon (dockerd).
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Resource management flaw |
Medium |
2021-02-02 |
Impact
The Docker daemon does not check the image layer digest for validity when pulling an image. If a maliciously altered image is pulled, the Docker daemon could crash.
This vulnerability can occur in the following scenarios:
- Manually running docker pull on a cluster node to pull a maliciously altered image
- kubelet automatically pulling a maliciously altered image specified in the workload template during workload deployment
The impact of this vulnerability is as follows:
- If an image is maliciously damaged, pulling it may crash the docker daemon.
- If you use Huawei Cloud SWR and your images are obtained from SWR, digest verification will be performed on the image uploaded to the image repository, and the Docker daemon will not be affected.
- This vulnerability does not affect the running containers.
Identification Method
- For a node running on EulerOS or CentOS, run the following command to check the security package version:
rpm -qa |grep docker
- For a node running on EulerOS or CentOS, if the Docker version is earlier than 18.09.0.100.51.h10.51.h3-1.h15.eulerosv2r7, the Docker package will be affected by this vulnerability.
- For a node running on other OSs, such as Ubuntu, run the docker version command to view the Docker version. If the version is earlier than 19.03.15 or 20.10.3, the node will be affected by this vulnerability.
Solution
Do not use images from unknown sources. You are advised to use SoftWare Repository for Container (SWR).
Helpful Links
Go to GitHub for the upgrade patch provided by the vendor.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.