Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update module github.com/docker/docker to v26.0.2+incompatible [SECURITY] #2381

Merged
merged 1 commit into from
Apr 24, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Apr 23, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/docker/docker v26.0.1+incompatible -> v26.0.2+incompatible age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-32473

In 26.0.0 and 26.0.1, IPv6 is not disabled on network interfaces, including those belonging to networks where --ipv6=false.

Impact

A container with an ipvlan or macvlan interface will normally be configured to share an external network link with the host machine. Because of this direct access, with IPv6 enabled:

  • Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses.
  • If router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses.
  • The interface will be a member of IPv6 multicast groups.

This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface.

A container with an unexpected IPv6 address can do anything a container configured with an IPv6 address can do. That is, listen for connections on its IPv6 address, open connections to other nodes on the network over IPv6, or attempt a DoS attack by flooding packets from its IPv6 address. This has CVSS score AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L (2.7).

Because the container may not be constrained by an IPv6 firewall, there is increased potential for data exfiltration from the container. This has CVSS score AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (4.7).

A remote attacker could send malicious Router Advertisements to divert traffic to itself, a black-hole, or another device. The same attack is possible today for IPv4 macvlan/ipvlan endpoints with ARP spoofing, TLS is commonly used by Internet APIs to mitigate this risk. The presence of an IPv6 route could impact the container's availability by indirectly abusing the behaviour of software which behaves poorly in a dual-stack environment. For example, it could resolve a name to a DNS AAAA record and keep trying to connect over IPv6 without ever falling back to IPv4, potentially denying service to the container. This has CVSS score AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.5).

Patches

The issue is patched in 26.0.2.

Workarounds

To completely disable IPv6 in a container, use --sysctl=net.ipv6.conf.all.disable_ipv6=1 in the docker create or docker run command. Or, in the service configuration of a compose file, the equivalent:

        sysctls:
            - net.ipv6.conf.all.disable_ipv6=1

References


Release Notes

docker/docker (github.com/docker/docker)

v26.0.2+incompatible

Compare Source


Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added dependencies Pull requests that update a dependency file security labels Apr 23, 2024
@renovate renovate bot force-pushed the renovate/go-github.com/docker/docker-vulnerability branch from f6603a2 to a87d621 Compare April 23, 2024 21:27
…ITY]

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot changed the title fix(deps): update module github.com/docker/docker to v26.0.2+incompatible [security] Update module github.com/docker/docker to v26.0.2+incompatible [SECURITY] Apr 24, 2024
@renovate renovate bot force-pushed the renovate/go-github.com/docker/docker-vulnerability branch from a87d621 to c37d99d Compare April 24, 2024 17:36
Copy link
Collaborator

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the record, the vulnerable code is not used by c/image.

@mtrmac mtrmac merged commit 170da42 into main Apr 24, 2024
10 checks passed
@renovate renovate bot deleted the renovate/go-github.com/docker/docker-vulnerability branch April 24, 2024 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant