Slashdot Mirror
Docker Image Insecurity
An anonymous reader writes Developer Jonathan Rudenberg has discovered and pointed out a glaring security hole in Docker's system. He says, "Recently while downloading an 'official' container image with Docker I saw this line: ubuntu:14.04: The image you are pulling has been verified
I assumed this referenced Docker's heavily promoted image signing system and didn't investigate further at the time. Later, while researching the cryptographic digest system that Docker tries to secure images with, I had the opportunity to explore further. What I found was a total systemic failure of all logic related to image security.
Docker's report that a downloaded image is 'verified' is based solely on the presence of a signed manifest, and Docker never verifies the image checksum from the manifest. An attacker could provide any image alongside a signed manifest. This opens the door to a number of serious vulnerabilities." Docker's lead security engineer has responded here.
I assumed this referenced Docker's heavily promoted image signing system and didn't investigate further at the time. Later, while researching the cryptographic digest system that Docker tries to secure images with, I had the opportunity to explore further. What I found was a total systemic failure of all logic related to image security.
Docker's report that a downloaded image is 'verified' is based solely on the presence of a signed manifest, and Docker never verifies the image checksum from the manifest. An attacker could provide any image alongside a signed manifest. This opens the door to a number of serious vulnerabilities." Docker's lead security engineer has responded here.
Dockers is a brand of khaki garments and other accessories from Levi Strauss & Co.
It's obviously a single pant-leg or shoe, hence, Docker, not Dockers.
You're welcome.
http://xkcd.com/1181/