In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.

An update of the telegraf package has been released.

An update of the kapacitor package has been released.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - docker: Docker Engine in debug mode may sometimes add secrets to the debug log leading to information     disclosure (CVE-2019-13509)

  - docker: IPv6 router advertisements allow for MitM attacks (CVE-2020-13401)

  - Docker Engine before 1.8.3 and CS Docker Engine before 1.6.2-CS7 do not use a globally unique identifier     to store image layers, which makes it easier for attackers to poison the image cache via a crafted image     in pull or push commands. (CVE-2014-8178)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2019-4813 advisory.

  - In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the     docker build command would be able to gain command execution. An issue exists in the way docker build     processes remote git URLs, and results in command injection into the underlying git clone command,     leading to code execution in the context of the user executing the docker build command. This occurs     because git ref can be misinterpreted as a flag. (CVE-2019-13139)

  - In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before     18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a     scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It     potentially applies to other API users of the stack API if they resend the secret. (CVE-2019-13509)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has docker-ce packages installed that are affected by multiple vulnerabilities:

  - Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0,     17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a     Denial of Service via a crafted image layer payload, aka gzip bombing. (CVE-2017-14992)

  - The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block     /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are     used) by leveraging Docker container access to write a scsi remove-single-device line to     /proc/scsi/scsi, aka SCSI MICDROP. (CVE-2017-16539)

  - libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than     ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall     arguments could bypass intended access restrictions by specifying a single matching argument.
    (CVE-2017-18367)

  - The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block     /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling     bluetooth or turning up/down keyboard brightness. (CVE-2018-10892)

  - In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a     symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host     filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen     filesystem (or from within a chroot). (CVE-2018-15664)

  - Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via     a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go,     pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. (CVE-2018-20699)

  - In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the     docker build command would be able to gain command execution. An issue exists in the way docker build     processes remote git URLs, and results in command injection into the underlying git clone command,     leading to code execution in the context of the user executing the docker build command. This occurs     because git ref can be misinterpreted as a flag. (CVE-2019-13139)

  - In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before     18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a     scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It     potentially applies to other API users of the stack API if they resend the secret. (CVE-2019-13509)

  - runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite     the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a     command as root within one of these types of containers: (1) a new container with an attacker-controlled     image, or (2) an existing container, to which the attacker previously had write access, that can be     attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
    (CVE-2019-5736)

  - An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW     capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain     sensitive information, or cause a denial of service. (CVE-2020-13401)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has docker-ce packages installed that are affected by multiple vulnerabilities:

  - Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0,     17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a     Denial of Service via a crafted image layer payload, aka gzip bombing. (CVE-2017-14992)

  - The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block     /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are     used) by leveraging Docker container access to write a scsi remove-single-device line to     /proc/scsi/scsi, aka SCSI MICDROP. (CVE-2017-16539)

  - libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than     ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall     arguments could bypass intended access restrictions by specifying a single matching argument.
    (CVE-2017-18367)

  - The default OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block     /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling     bluetooth or turning up/down keyboard brightness. (CVE-2018-10892)

  - In Docker through 18.06.1-ce-rc2, the API endpoints behind the 'docker cp' command are vulnerable to a     symlink-exchange attack with Directory Traversal, giving attackers arbitrary read-write access to the host     filesystem with root privileges, because daemon/archive.go does not do archive operations on a frozen     filesystem (or from within a chroot). (CVE-2018-15664)

  - Docker Engine before 18.09 allows attackers to cause a denial of service (dockerd memory consumption) via     a large integer in a --cpuset-mems or --cpuset-cpus value, related to daemon/daemon_unix.go,     pkg/parsers/parsers.go, and pkg/sysinfo/sysinfo.go. (CVE-2018-20699)

  - In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the     docker build command would be able to gain command execution. An issue exists in the way docker build     processes remote git URLs, and results in command injection into the underlying git clone command,     leading to code execution in the context of the user executing the docker build command. This occurs     because git ref can be misinterpreted as a flag. (CVE-2019-13139)

  - In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before     18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a     scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It     potentially applies to other API users of the stack API if they resend the secret. (CVE-2019-13509)

  - runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite     the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a     command as root within one of these types of containers: (1) a new container with an attacker-controlled     image, or (2) an existing container, to which the attacker previously had write access, that can be     attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
    (CVE-2019-5736)

  - An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW     capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain     sensitive information, or cause a denial of service. (CVE-2020-13401)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the docker package has been released.

According to the version of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - In Docker CE and EE before 18.09.8 (as well as Docker     EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10),     Docker Engine in debug mode may sometimes add secrets     to the debug log. This applies to a scenario where     docker stack deploy is run to redeploy a stack that     includes (non external) secrets. It potentially applies     to other API users of the stack API if they resend the     secret.(CVE-2019-13509)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A command injection flaw was discovered in Docker during the `docker build` command. By providing a specially crafted path argument for the container to build, it is possible to inject command options to the `git fetch`/`git checkout` commands that are executed by Docker and to execute code with the privileges of the user running Docker. A local attacker who can run `docker build` with a controlled build path, or a remote attacker who has control over the docker build path, could elevate their privileges or execute code.(CVE-2019-13139)

In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.(CVE-2019-13509)

Three security vulnerabilities have been discovered in the Docker container runtime: Insecure loading of NSS libraries in 'docker cp'could result in execution of code with root privileges, sensitive data could be logged in debug mode and there was a command injection vulnerability in the 'docker build' command.

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues :

Docker :

  - CVE-2019-14271: Fixed a code injection if the nsswitch     facility dynamically loaded a library inside a chroot     (bsc#1143409).

  - CVE-2019-13509: Fixed an information leak in the debug     log (bsc#1142160).

  - Update to version 19.03.1-ce, see changelog at     /usr/share/doc/packages/docker/CHANGELOG.md     (bsc#1142413, bsc#1139649).

runc :

  - Use %config(noreplace) for /etc/docker/daemon.json     (bsc#1138920).

  - Update to runc 425e105d5a03, which is required by Docker     (bsc#1139649).

containerd :

  - CVE-2019-5736: Fixed a container breakout vulnerability     (bsc#1121967).

  - Update to containerd v1.2.6, which is required by docker     (bsc#1139649).

golang-github-docker-libnetwork :

  - Update to version     git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is     required by docker (bsc#1142413, bsc#1139649).

This update was imported from the SUSE:SLE-15:Update update project.

Security fix for CVE-2019-13509

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork fixes the following issues :

Docker :

CVE-2019-14271: Fixed a code injection if the nsswitch facility dynamically loaded a library inside a chroot (bsc#1143409).

CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160).

Update to version 19.03.1-ce, see changelog at /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413, bsc#1139649).

runc: Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920).

Update to runc 425e105d5a03, which is required by Docker (bsc#1139649).

containerd: CVE-2019-5736: Fixed a container breakout vulnerability (bsc#1121967).

Update to containerd v1.2.6, which is required by docker (bsc#1139649).

golang-github-docker-libnetwork: Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by docker (bsc#1142413, bsc#1139649).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
204388	Photon OS 5.0: Telegraf PHSA-2023-5.0-0041	Nessus	PhotonOS Local Security Checks	high
204224	Photon OS 5.0: Kapacitor PHSA-2023-5.0-0045	Nessus	PhotonOS Local Security Checks	critical
199730	RHEL 7 : docker (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
180634	Oracle Linux 7 : docker-engine (ELSA-2019-4813)	Nessus	Oracle Linux Local Security Checks	high
154519	NewStart CGSL CORE 5.05 / MAIN 5.05 : docker-ce Multiple Vulnerabilities (NS-SA-2021-0138)	Nessus	NewStart CGSL Local Security Checks	high
143962	NewStart CGSL CORE 5.04 / MAIN 5.04 : docker-ce Multiple Vulnerabilities (NS-SA-2020-0082)	Nessus	NewStart CGSL Local Security Checks	high
136552	Photon OS 1.0: Docker PHSA-2020-1.0-0292	Nessus	PhotonOS Local Security Checks	high
136345	Photon OS 3.0: Docker PHSA-2020-3.0-0085	Nessus	PhotonOS Local Security Checks	high
136331	Photon OS 2.0: Docker PHSA-2020-2.0-0235	Nessus	PhotonOS Local Security Checks	high
134749	EulerOS 2.0 SP8 : docker-engine (EulerOS-SA-2020-1283)	Nessus	Huawei Local Security Checks	high
130609	Amazon Linux AMI : docker (ALAS-2019-1316)	Nessus	Amazon Linux Local Security Checks	high
128622	Debian DSA-4521-1 : docker.io - security update	Nessus	Debian Local Security Checks	critical
128409	openSUSE Security Update : containerd / docker / docker-runc / etc (openSUSE-2019-2021)	Nessus	SuSE Local Security Checks	critical
128296	Fedora 30 : 2:docker (2019-5b54793a4a)	Nessus	Fedora Local Security Checks	high
128295	Fedora 29 : 2:docker (2019-4bed83e978)	Nessus	Fedora Local Security Checks	high
127884	SUSE SLED15 / SLES15 Security Update : containerd, docker, docker-runc, golang-github-docker-libnetwork (SUSE-SU-2019:2117-1)	Nessus	SuSE Local Security Checks	critical

Detections

Analytics

CVE-2019-13509

high

Tenable Plugins

high

critical

high

high

high

high

high

high

high

high

high

critical

critical

high

high

critical