Notice of Docker Engine Vulnerability That Allows Attackers to Bypass AuthZ (CVE-2024-41110)
Docker is an open-source container engine. Docker Engine serves as a portable runtime for containers. Docker's authorization plugins (AuthZ) can be used to manage and limit API requests to the Docker daemon.
Description
|
Type |
CVE-ID |
Severity |
Discovered |
|---|---|---|---|
|
Privilege escalation |
Critical |
2024-07-25 |
Impact
An attacker can exploit this vulnerability using an API request with Content-Length set to 0 to bypass the permissions check. This causes the Docker daemon to forward the request without the body to the AuthZ plugin, potentially allowing unauthorized actions and privilege escalation. Users who do not use the AuthZ plugins or who run Docker Engine of an earlier version are not affected.
CCE uses Huawei-optimized Docker containers and does not enable the AuthZ plugins, so this vulnerability will not be activated.
Identification Method
You can run commands on a node to view the plugins used by Docker.
For a node whose container engine is Docker, run the following command:
ps –elf | grep docker
The following is an example command output:
If --authorization-plugin is not configured, the AuthZ plugins are not enabled. In this case, the vulnerability will not affect this node.
Solution
Docker AuthZ plugins are not enabled in CCE clusters, so this vulnerability (CVE-2024-41110) will not affect nodes in CCE clusters. Do not enable the --authorization-plugin parameter. CCE is going to fix this vulnerability in the optimized Docker containers.
Helpful Links
Docker AuthZ plugins: https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
