Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice on the Docker Resource Management Vulnerability (CVE-2021-21285)
Updated on 2023-08-02 GMT+08:00

Notice on the Docker Resource Management Vulnerability (CVE-2021-21285)

Description

Docker is an open source application container engine. It allows you to create containers (lightweight VMs) on Linux and use configuration files for automatic installation, deployment, running, and upgrade of applications. Docker versions earlier than 19.03.15 and 20.10.3 have a resource management error that may be exploited by attackers to crash the Docker daemon (dockerd).

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

Resource management flaw

CVE-2021-21285

Medium

2021-02-02

Impact

The Docker daemon does not verify the digest at the image layer during image pull.

This vulnerability may be triggered in the following scenarios:

  • Manually run docker pull on a node in the cluster to pull a maliciously damaged image.
  • kubelet automatically pulls a maliciously damaged image defined in the workload template during workload deployment.

The impact of this vulnerability is as follows:

  • If an image is maliciously damaged, pulling it may crash the docker daemon.
  • If you use Huawei Cloud SWR and your images are obtained from SWR, digest verification will be performed on the image uploaded to the image repository, and the Docker daemon will not be affected.
  • This vulnerability does not affect the running containers.

Identification Method

  1. For EulerOS or CentOS nodes, run the following command to check the security package version:
    rpm -qa |grep docker
  2. For a node running on EulerOS or CentOS, if the Docker version is earlier than 18.09.0.100.51.h10.51.h3-1.h15.eulerosv2r7, the Docker package will be affected by this vulnerability.
  3. For nodes that use other OSs, such as Ubuntu, you can run the docker version command to view the Docker version. If the version is earlier than 19.03.15 and 20.10.3, this vulnerability is involved.

Solution

Do not use images from unknown sources. You are advised to use SoftWare Repository for Container (SWR).

Helpful Links

The vendors have released an upgrade patch to fix the vulnerability. To obtain the patch, visit https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30