Vvoland

**Name of the Vulnerable Software and Affected Versions** Moby versions 28.2.0 through 28.3.2 **Description** Moby is an open source container framework developed by Docker Inc. When the firewalld service is reloaded, it removes all iptables rules, including those created by Docker. In affected versions, Docker fails to recreate the specific rules that block external access to containers. This allows remote machines with network routing to the Docker bridge to access containers with ports published to localhost, even though they should only be accessible from the host. The vulnerability only affects explicitly published ports; unpublished ports remain protected. **Recommendations** Moby versions 28.2.0 through 28.3.2: Upgrade to version 28.3.3 or later. As a workaround, restart the docker daemon after reloading firewalld. As a workaround, re-create bridge networks after reloading firewalld. As a workaround, use rootless mode.

**Name of the Vulnerable Software and Affected Versions** Moby versions prior to 28.0.0 Moby version 25.0.13 **Description** Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby, where reloading firewalld causes Docker to fail to re-create iptables rules that isolate bridge networks. This allows containers to access any port on any other container across different bridge networks on the same host, breaking network segmentation between containers. Containers in `--internal` networks remain protected. **Recommendations** Update to Moby version 28.0.0 or later. Apply the fix available in Moby release 25.0.13. As a temporary workaround, restart the docker daemon after reloading firewalld. As a temporary workaround, re-create bridge networks after reloading firewalld. As a temporary workaround, use rootless mode.

**Name of the Vulnerable Software and Affected Versions** Moby versions prior to 23.0 Moby versions 23.0 and later with DOCKER BUILDKIT=0 environment variable Moby versions 23.0 and later using the /build API endpoint **Description** The classic builder cache system in Moby is prone to cache poisoning if the image is built FROM scratch. Changes to some instructions, such as `HEALTHCHECK` and `ONBUILD`, would not cause a cache miss. An attacker with knowledge of the Dockerfile could poison the cache by making them pull a specially crafted image that would be considered a valid cache candidate for some build steps. The Image build API endpoint (`/build`) and `ImageBuild` function from `github.com/docker/docker/client` are also affected as they use the classic builder by default. **Recommendations** For versions prior to 23.0, update to a version that includes the patch, such as 24.0.9 or 25.0.2. For versions 23.0 and later with DOCKER BUILDKIT=0 environment variable, set DOCKER BUILDKIT=1 to use Buildkit or update to a version that includes the patch. For versions 23.0 and later using the /build API endpoint, consider using the `--no-cache` option or updating to a version that includes the patch. As a temporary workaround, consider using `--no-cache` or setting `NoCache = true` in `ImageBuildOptions` for `ImageBuild` call. Use `Version = types.BuilderBuildKit` in `ImageBuildOptions` for `ImageBuild` call to use Buildkit.