Docker Security Update: CVE-2018-5736 and Container Security Best Practices
On Monday, February 11, Docker released an update to fix a privilege escalation vulnerability (CVE-2019-5736) in runC, the Open Container Initiative (OCI) runtime specification used in Docker Engine and containerd. This vulnerability makes it possible for a malicious actor that has created a specially-crafted container image to gain administrative privileges on the host. Docker engineering worked with runC maintainers on the OCI to issue a patch for this vulnerability.
Docker recommends immediately applying the update to avoid any potential security threats. For Docker Engine-Community, this means updating to 18.09.2 or 18.06.2. For Docker Engine- Enterprise, this means updating to 18.09.2, 18.03.1-ee-6, or 17.06.2-ee-19. Read the release notes before applying the update due to specific instructions for Ubuntu and RHEL operating systems.
Summary of the Docker Engine versions that address the vulnerability:
|
Docker Engine Community |
Docker Engine Enterprise |
|
18.09.2 |
18.09.2 |
|
18.06.2 |
18.03.1-ee-6 |
|
|
17.06.2-ee-19 |
To better protect the container images run by Docker Engine, here are some additional recommendations and best practices:
Use Docker Official Images
Official Images are a curated set of Docker repositories hosted on Docker Hub that are designed to:
Orange Business Services Builds ‘One-Stop Shop’ for SD-WAN
Orange claims the largest enterprise SD-WAN deployment in the world rolling out more than 1,500...
Kubernetes, Docker, ContainerD Impacted by RunC Container Runtime Bug
The flaw basically allows an infected container to gain control of the overarching host container...
A10 Networks’ Yasir Liaqatullah Says Service Providers Must Modernize Their Networks to Prepare for 5G
Yasir Liaqatullah, Vice President of Product Management at A10 Networks, discusses new attack...
Tenable Predicts the Big Bad 3% of Vulnerabilities
The new security tool it built analyzes data across 150 sources. It then uses machine learning to...
Security Unicorn Illumio Raises $65M, Hires a New CFO
The investment is further validation that microsegmentation is real, and Illumio CEO Andrew Rubin...
How Bezo’s dick pics might’ve been exposed
In the news, the National Enquirer has extorted Amazon CEO Jeff Bezos by threatening to publish the sext-messages/dick-pics he sent to his mistress. How did the National Enquirer get them? There are rumors that maybe Trump's government agents or the "deep state" were involved in this sordid mess. The more likely explanation is that it was a simple hack. Teenage hackers regularly do such hacks -- they aren't hard.This post is a description of how such hacks might've been done.
To start with, from which end were they stolen? As a billionaire, I'm guessing Bezos himself has pretty good security, so I'm going to assume it was the recipient, his girlfriend, who was hacked.
The hack starts by finding the email address she uses. People use the same email address for both public and private purposes. There are lots of "people finder" services on the Internet that you can use to track this information down. These services are partly scams, using "dark patterns" to get you to spend tons of money on them without realizing it, so be careful.
Using one of these sites, I quickly found a couple of a email accounts she's used, one at HotMail, another Continue reading
Trump Prepares Executive Orders to Supercharge 5G, AI
The president’s commitment comes as his top cybersecurity chief warns that China could use Huawei’s 5G networking equipment to steal “trillions” of dollars of intellectual property.
Give your automated services credentials with Access service tokens
Cloudflare Access secures your internal sites by adding authentication. When a request is made to a site behind Access, Cloudflare asks the visitor to login with your identity provider. With service tokens, you can now extend that same level of access control by giving credentials to automated tools, scripts, and bots.
Authenticating users and bots alike
When users attempt to reach a site behind Access, Cloudflare looks for a JSON Web Token (a JWT) to determine if that visitor is allowed to reach that URL. If user does not have a JWT, we redirect them to the identity provider configured for your account. When they login successfully, we generate the JWT.
When you create an Access service token, Cloudflare generates a unique Client ID and Secret scoped to that service. When your bot sends a request with those credentials as headers, we validate them ourselves instead of redirecting to your identity provider. Access creates a JWT for that service and the bot can use that to reach your application.
Getting started
Within the Access tab of the Cloudflare dashboard, you’ll find a new section: Service Tokens. To get started, select “Generate a New Service Token.”
You’ll be asked to Continue reading
SD-WAN Security Under the Hood
A while ago we published a guest blog post by Christoph Jaggi explaining the high-level security challenges of most SD-WAN solutions… but what about the low-level details?
Sergey Gordeychik dived deep into implementation details of SD-WAN security in his 35C3 talk (slides, video).
TL&DW: some of the SD-WAN boxes are as secure as $19.99 Chinese webcam you bought on eBay.
Read more ...Huawei and ZTE Face New Bans and Legislation
Huawei and ZTE's list of woes continue as Germany, Canada, Poland, and the U.S. all appear to be working to impose new bans.
Google Goes All In on Confidential Computing
The cloud giant wants the rest of the industry to get behind its open source confidential computing framework. And it launched a $15K challenge to accelerate this technology.
Fortinet Introduces Intent-Based Next-Gen Firewalls
This approach provides a granular level of security control by matching functionality to specific use cases and business requirements.
vArmour Closes $44M Series E, Pushes Multi-Cloud Compliance
CEO Tim Eades won’t comment on his company’s valuation. But he says the investment puts it on track for an IPO and profitability within the next 12 to 18 months.
Securing your SWIFT environment with VMware
The SWIFT Controls Framework was created to help customers figure out which controls are needed to better secure their SWIFT environment. The SWIFT security controls framework is broken down into objectives, principles, and controls. The three objectives are “Secure your environment, Know and Limit Access, and Detect and Respond”.
Customers interested in exploring VMware product alignment with the SWIFT framework should evaluate the end-to-end solution. This includes VMware products, as well as other technology that support a customer’s SWIFT platform. The following is a high-level alignment of some of the SWIFT framework controls and VMware products.
VMware Product Alignment with SWIFT Objectives
Restrict internet access & Protect Critical Systems from General IT Environment
As part of a SWIFT deployment, a secured and zoned off environment must be created. This zone contains the SWIFT infrastructure that is used for all SWIFT transaction. Two SWIFT Principles that we will discuss are
- Protect Critical Systems from General IT Environment
- Detect Anomalous Activity to Systems or Transaction Records
These controls are required to be enforced on the SWIFT infrastructure. SWIFT requires that all traffic from the general IT infrastructure to the SWIFT zone be as restricted as possible. They also Continue reading
Spectra Taps Versa Networks to Deliver Managed SD-WAN in India
Versa has now signed managed service provider agreements with more than 80 global providers.
Extreme Networks Moves Into Edge Device Security With Defender for IoT
It’s a smart move for the networking vendor. Gartner estimates that 20.4 billion connected things will be in use by organizations worldwide by 2020.
Dell EMC Boosts Multi-Cloud Data Protection, Remote Office Management
The company expanded data protection with new and enhanced features to its Data Domain and Integrated Data Protection Appliance (IDPA) products.
Cloudflare Support for Azure Customers
Cloudflare seeks to help its end customers use whichever public and private clouds best suit their needs. Towards that goal, we have been working to make sure our solutions work well with various public cloud providers including Microsoft’s Azure platform.
If you are an Azure customer, or thinking about becoming one, here are three ways we have made Cloudflare’s performance and security services work well with Azure.
1) The development of an Azure application for Cloudflare Argo Tunnel.
We are proud to announce an application for Cloudflare Argo Tunnel within the Azure marketplace. As a quick reminder, Argo Tunnel establishes an encrypted connection between the origin and the Cloudflare edge. The small tunnel daemon establishes outbound connections to the two nearest Cloudflare PoPs, and the origin is only accessible via the tunnel between Cloudflare and origin.
Because these are outbound connections, there is likely no need to modify firewall rules, configure DNS records, etc. You can even go so far as to block all IPs on the origin and allow traffic only to flow through the tunnel. You can learn more here. The only prerequisite for using Argo Tunnel is to have Argo enabled on your Cloudflare zone. You can Continue reading
Netsurion Replaces Its SD-WAN With a Unified Network Management, Security Orchestration Platform
Netsurion’s BranchSDO platform is the company’s natural evolution of its SD-WAN service. “What’s next for SD-WAN is really removing the handcuffs off of the branch and allowing this resilient, agile security solution that also delivers compliance,” said John Ayers, VP of product at...