CVE-2017-16539

The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
References
Link Resource
https://twitter.com/ewindisch/status/926443521820774401 Third Party Advisory
https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1 Issue Tracking Third Party Advisory Patch
https://github.com/moby/moby/pull/35399 Issue Tracking Patch Third Party Advisory
https://marc.info/?l=linux-scsi&m=150985455801444&w=2 Issue Tracking Patch Third Party Advisory
https://marc.info/?l=linux-scsi&m=150985062200941&w=2 Issue Tracking Patch Third Party Advisory
Advertisement

NeevaHost hosting service

Configurations

Configuration 1 (hide)

cpe:2.3:a:mobyproject:moby:*:*:*:*:*:*:*:*

Information

Published : 2017-11-04 10:29

Updated : 2017-11-27 07:55


NVD link : CVE-2017-16539

Mitre link : CVE-2017-16539


JSON object : View

CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

Advertisement

dedicated server usa

Products Affected

mobyproject

  • moby