

How secure is Docker? If you're not running version 1.3.2, Not VERY - labianchin
http://www.theregister.co.uk/2014/11/25/docker_vulnerabilities/

======
labianchin
Can somebody explain what is the risk with such security issues if you own the
containers?

~~~
ewindisch
The breakout risk with both is with malicious images, not with malicious
processes running in those images. Furthermore, the archive path-traversal
issue is dangerous because it is exploitable by merely downloading images,
even if they're not run.

Still, if you own all the container images that you're consuming or only use
the official builds, the risk is minimal. Mind you that some users
intentionally run containers with elevated privileges via the '\--privileged'
flag.

However, if you're running Docker 1.3.0 or older, you're also vulnerable to
MITM attacks against the registry, potentially compromising images as they're
downloaded. It's highly advised that everyone upgrade.

~~~
preillyme
Up to and including version 1.3.1, was vulnerable to extracting files to
arbitrary paths on the host during ‘docker pull’ and ‘docker load’ operations.
This was caused by symlink and hardlink traversals present in Docker's image
extraction. This vulnerability could be leveraged to perform remote code
execution and privilege escalation.

