edit-icon download-icon

[Vulnerability notice] Unauthorized access vulnerability in Docker remote API

Last Updated: May 07, 2018

Description

Docker is a container technology for Linux that allows the developer to customize package according to his requirements. Docker’s remote API is subject to unauthorized access because of the improper configuration, which may be exploited by attackers.

Attackers do not need to go through authentication to access Docker data, which may lead to sensitive information being leaked and hackers may also maliciously delete the data on Docker. Attackers may further take advantage of Docker’s features to directly access sensitive information on the host machine or modify sensitive files, and even gain full control over the server.

Affected versions

Docker remote APIs that are open to the Internet and have not enabled authentication

Fix

  • Change the default parameters of Docker remote API service. Edit Docker startup parameters as follows.

    Note: This operation takes effect only after you restart the Docker service.

    Go to tcp://0.0.0.0:2375 in DOCKER_OPTS and change 0.0.0.0 to 127.0.0.1, or change the default port 2375 to a custom port.

  • Set up authentication policies for the remote API. Follow the Docker official documentation to configure authentication policies for the remote API.

    Note: This operation takes effect only after you restart the Docker service.

  • Change the Docker service running account. Use an account with lower permissions to run the Docker service. In addition, you can prevent users from running high-risk commands.

    Note: This operation takes effect only after you restart the Docker service.

  • Set up a firewall policy. You can configure the security group policy or the iptable policy to only allow specified IP addresses to access the Docker interfaces.

Thank you! We've received your feedback.