Slashdot Mirror
Hack Allows Escape of Play-With-Docker Containers (threatpost.com)
secwatcher quotes a report from Threatpost: Researchers hacked the Docker test platform called Play-with-Docker, allowing them to access data and manipulate any test Docker containers running on the host system. The proof-of-concept hack does not impact production Docker instances, according to CyberArk researchers that developed the proof-of-concept attack. "The team was able to escape the container and run code remotely right on the host, which has obvious security implications," wrote researchers in a technical write-up posted Monday.
Play-with-Docker is an open source free in-browser online playground designed to help developers learn how to use containers. While Play-with-Docker has the support of Docker, it was not created by nor is it maintained by the firm. The environment approximates having the Alpine Linux Virtual Machine in browser, allowing users to build and run Docker containers in various configurations. The vulnerability was reported to the developers of the platform on November 6. On January 7, the bug was patched. As for how many instances of Play-with-Docker may have been affected, "CyberArk estimated there were as many as 200 instances of containers running on the platform it analyzed," reports Threatpost. "It also estimates the domain receives 100,000 monthly site visitors."
Play-with-Docker is an open source free in-browser online playground designed to help developers learn how to use containers. While Play-with-Docker has the support of Docker, it was not created by nor is it maintained by the firm. The environment approximates having the Alpine Linux Virtual Machine in browser, allowing users to build and run Docker containers in various configurations. The vulnerability was reported to the developers of the platform on November 6. On January 7, the bug was patched. As for how many instances of Play-with-Docker may have been affected, "CyberArk estimated there were as many as 200 instances of containers running on the platform it analyzed," reports Threatpost. "It also estimates the domain receives 100,000 monthly site visitors."
OK, imagine you are a dev team, and you don't know how to write an install script for your software. No problem, just load it into docker once, and you don't have to worry about cleaning up your install scripts.
There are some valid use cases, but what I just described is the main one people use in the modern world. There are people who think things like, "Makefiles (or Maven or whatever) are too complicated because they don't allow you to have loops and functions." Nah, these are signs you are making things too complicated and they should be simplified.
Oh, and while I'm criticizing things like an old man, I'll just add that the primary use for mongodb is people who don't know SQL or how to write a schema. That isn't everyone, and there are some valid reasons to use NoSQL, but a primary use case is people who don't know databases.
"First they came for the slanderers and i said nothing."