Do docker (web service/server)s run unattended updates? Otherwise, how to do this? I am worried about the recent sudo -s CVE. How are docker containers affected? If I set up an auditing system with remote logging, and have unattended/security updates for docker web apps, is this sufficiently secure?
Asked
Active
Viewed 232 times
2
-
You are asking many questions...? What's your main question? – Soufiane Tahiri Feb 03 '21 at 09:43
-
How are docker containers affected by CVE-2021-3156? – Julius Baer Feb 03 '21 at 11:11
2 Answers
3
sudo Is not installed by default on many Linux Docker images. If it is, then you need to either log in to the container and update it or pull a more recent version from the web. I don't know what kind of options a remote hacker has, to get a command line and execute sudo commands in general but if this option generally exists, then Docker containers are likely insecure and have been for a long time. It seems however that corporate (or for example university) networks where users have sudo or non-sudo access rights are primarily affected. So, where users have terminal access.
Julius Baer
- 51
- 7
3
This CVE (CVE-2021-3156) is unlikely to present any practical risks, when present inside a container image. The reason is that Docker containers are intended to be single user, so being able to escalate is unlikely to allow attackers much additional access.
Most Docker images already run as root, so sudo will have no effect at all. Where a Docker image runs as a non-root user, and has sudo in the image (unlikely) it could allow some limited level of additional access, but the attacker would still be constrained in the container, without additional vulnerabilities or mis-configurations.
The CVE, if present on a Docker host, could be more significant, as access to sudo is likely to give access to the Docker socket and allow access to any containers running on the system.
Rory McCune
- 60,923
- 14
- 136
- 217