Notice on the Docker Resource Management Vulnerability (CVE-2021-21285)

Description

Docker is an open source application container engine. It allows you to create containers (lightweight VMs) on Linux and use configuration files for automatic installation, deployment, running, and upgrade of applications. Docker versions earlier than 19.03.15 and 20.10.3 have a resource management error that may be exploited by attackers to crash the Docker daemon (dockerd).

**Table 1** Vulnerability information
Type	CVE-ID	Severity	Discovered
Resource management flaw	CVE-2021-21285	Medium	2021-02-02

Impact

The Docker daemon does not verify the digest at the image layer during image pull.

This vulnerability may be triggered in the following scenarios:

Manually run docker pull on a node in the cluster to pull a maliciously damaged image.
kubelet automatically pulls a maliciously damaged image defined in the workload template during workload deployment.

The impact of this vulnerability is as follows:

If an image is maliciously damaged, pulling it may crash the docker daemon.
If you use Huawei Cloud SWR and your images are obtained from SWR, digest verification will be performed on the image uploaded to the image repository, and the Docker daemon will not be affected.
This vulnerability does not affect the running containers.

Identification Method

For EulerOS or CentOS nodes, run the following command to check the security package version:
```
rpm -qa |grep docker
```
For a node running on EulerOS or CentOS, if the Docker version is earlier than 18.09.0.100.51.h10.51.h3-1.h15.eulerosv2r7, the Docker package will be affected by this vulnerability.
For nodes that use other OSs, such as Ubuntu, you can run the docker version command to view the Docker version. If the version is earlier than 19.03.15 and 20.10.3, this vulnerability is involved.