Corhere

Name of the Vulnerable Software and Affected Versions: Docker Engine versions prior to v27.1.1 Docker Engine versions 19.03 and later, excluding v19.03.x Docker CE versions prior to v27.1.1 Description: A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered in 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Recommendations: For Docker Engine versions prior to v27.1.1, update to version v27.1.1 or later to fix the vulnerability. For Docker Engine versions 19.03 and later, excluding v19.03.x, update to a version that includes the merged patches, such as the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, or 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege.

**Name of the Vulnerable Software and Affected Versions** Moby versions prior to 23.0.3 Moby versions prior to 20.10.24 Mirantis Container Runtime versions prior to 20.10.16 **Description** The issue is related to the encrypted overlay network feature in Moby's Swarm Mode. Encrypted overlay networks function by encapsulating VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. However, on affected platforms, these networks silently transmit unencrypted data, which may appear to be functional but lacks the expected confidentiality and data integrity guarantees. An attacker in a trusted position on the network can read all application traffic moving across the overlay network, resulting in unexpected secrets or user data disclosure. Many database protocols and internal APIs are not protected by a second layer of encryption, so users may rely on Swarm encrypted overlay networks for confidentiality, which is no longer guaranteed due to this vulnerability. **Recommendations** Update to Moby release 23.0.3 or later. Update to Moby release 20.10.24 or later. Update to Mirantis Container Runtime version 20.10.16 or later. As a temporary workaround, close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary to prevent unintentionally leaking unencrypted traffic over the Internet. Ensure that the `xt u32` kernel module is available on all nodes of the Swarm cluster.

**Name of the Vulnerable Software and Affected Versions** Moby versions prior to 23.0.3 Moby versions prior to 20.10.24 Mirantis Container Runtime versions prior to 20.10.16 **Description** The issue is related to the use of an unsecured alternative channel in the Swarm Mode of the Moby daemon component. This allows a remote attacker to impact the integrity of protected information by sending unencrypted packets. Encrypted overlay networks in Moby's Swarm Mode silently accept cleartext VXLAN datagrams, making it possible to inject arbitrary Ethernet frames into the encrypted overlay network. This can have severe implications. The `overlay` network driver, a core feature of Swarm Mode, provides isolated virtual LANs and supports an optional encrypted mode. However, the lack of proper encryption allows for the injection of malicious data. **Recommendations** For Moby versions prior to 23.0.3, update to version 23.0.3 or later. For Moby versions prior to 20.10.24, update to version 20.10.24 or later. For Mirantis Container Runtime versions prior to 20.10.16, update to version 20.10.16 or later. As a temporary workaround, in multi-node clusters, deploy a global ‘pause’ container for each encrypted overlay network on every node. For a single-node cluster, do not use overlay networks of any sort; instead, use bridge networks for connectivity. If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec.

**Name of the Vulnerable Software and Affected Versions** Moby versions prior to 23.0.3 Moby versions prior to 20.10.24 Mirantis Container Runtime versions prior to 20.10.16 **Description** The issue is related to the use of an unsecured alternative channel in the Swarm Mode of the Moby daemon component. This can enable a Denial of Service attack and potentially allow a sophisticated attacker to establish a UDP or TCP connection by way of the container’s outbound gateway that would otherwise be blocked by a stateful firewall. The vulnerability is due to the injection of arbitrary Ethernet frames, which can be used to smuggle packets into the overlay network. Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. However, the rules set by Moby to discard unencrypted VXLAN datagrams can be overridden by administrator-set rules, potentially admitting unencrypted datagrams that should have been discarded. **Recommendations** Update to Moby release 23.0.3 or later. Update to Moby release 20.10.24 or later. Update to Mirantis Container Runtime release 20.10.16 or later. As a temporary workaround, consider closing the VXLAN port (by default, UDP port 4789) to incoming traffic at the Internet boundary to prevent all VXLAN packet injection. Ensure that the `xt u32` kernel module is available on all nodes of the Swarm cluster.