Description
Docker is a container technology for Linux that allows the developer to customize package according to his requirements. Docker’s remote API is subject to unauthorized access because of the improper configuration, which may be exploited by attackers.
Attackers do not need to go through authentication to access Docker data, which may lead to sensitive information being leaked and hackers may also maliciously delete the data on Docker. Attackers may further take advantage of Docker’s features to directly access sensitive information on the host machine or modify sensitive files, and even gain full control over the server.
Affected versions
Docker remote APIs that are open to the Internet and have not enabled authentication
Fix
Change the default parameters of Docker remote API service. Edit Docker startup parameters as follows.
Note: This operation takes effect only after you restart the Docker service.
Go to
tcp://0.0.0.0:2375inDOCKER_OPTSand change0.0.0.0to127.0.0.1, or change the default port2375to a custom port.Set up authentication policies for the remote API. Follow the Docker official documentation to configure authentication policies for the remote API.
Note: This operation takes effect only after you restart the Docker service.
Change the Docker service running account. Use an account with lower permissions to run the Docker service. In addition, you can prevent users from running high-risk commands.
Note: This operation takes effect only after you restart the Docker service.
Set up a firewall policy. You can configure the security group policy or the iptable policy to only allow specified IP addresses to access the Docker interfaces.