Proof-of-concept code for a security flaw in Docker is now public- Comment

It has been reported that security researchers are urging Docker customers to upgrade to the latest version after detailing a proof-of-concept (PoC) attack exploiting a critical vulnerability, which could lead to full container escape. The CVE-2019-14271 flaw was fixed in Docker version 19.03.1, but if left unpatched could give an attacker full root code execution on the host.

Commenting on this, Satnam Narang, senior research engineer at Tenable, said “CVE-2019-14271 is a critical code injection flaw in the Docker copy (docker cp) command, which is used to copy files between containers. Exploitation of this flaw can lead to full container escape by an attacker. It is important to note that to exploit this vulnerability, an attacker would need to include the exploit code in a malicious Docker container image or compromise a container either via another vulnerability or using previously leaked Docker secrets.

“If updating to a patched version is not feasible, users are strongly encouraged to only use trusted Docker container images that have been verified and/or signed. Additionally, please consider using non-root users when launching containers, as that would mitigate the threat this vulnerability poses.”