Docker Security Update: CVE-2018-5736 and Container Security Best Practices

On Monday, February 11, Docker released an update to fix a privilege escalation vulnerability (CVE-2019-5736) in runC, the Open Container Initiative (OCI) runtime specification used in Docker Engine and containerd. This vulnerability makes it possible for a malicious actor that has created a specially-crafted container image to gain administrative privileges on the host. Docker engineering worked with runC maintainers on the OCI to issue a patch for this vulnerability.

Docker recommends immediately applying the update to avoid any potential security threats. For Docker Engine-Community, this means updating to 18.09.2 or 18.06.2. For Docker Engine- Enterprise, this means updating to 18.09.2, 18.03.1-ee-6, or 17.06.2-ee-19. Read the release notes before applying the update due to specific instructions for Ubuntu and RHEL operating systems.

Summary of the Docker Engine versions that address the vulnerability:

 

Docker Engine Community

Docker Engine Enterprise

18.09.2

18.09.2

18.06.2

18.03.1-ee-6

17.06.2-ee-19

To better protect the container images run by Docker Engine, here are some additional recommendations and best practices:

Use Docker Official Images

Official Images are a curated set of Docker repositories hosted on Docker Hub that are designed to:

BrandPost: Wi-Fi Next Steps: 802.11ax or 802.11ac?

With a new wireless standard ready and available, 2019 unwraps a wireless conundrum as 802.11ax solutions take their place in the market. You may also hear about Wi-Fi 6, which is just the new nomenclature used by the Wi-Fi Alliance (instead of 802.11ax) in the effort to simplify the naming convention. With a hat tip to iOS, this nomenclature is pretty familiar to mobile users so there’s a good chance we’ll see Wi-Fi 7, 8, and 9 in years to come. For the sake of consistency in our comparison of the two standards discussed here, I will refer to the new standard as 802.11ax.Outside what to call the new standard, Aruba and others have introduced APs that leverage the new performance capabilities of 802.11ax. The new Wi-Fi standard includes some clever engineering that improves performance and saves battery life, but it may not be the right choice, nor the only option, to meet the needs of your midsize organization.To read this article in full, please click here

Future Thinking: Alissa Cooper on the Technical Impact of Internet Consolidation

In 2017, the Internet Society unveiled the 2017 Global Internet Report: Paths to Our Digital Future. The interactive report identifies the drivers affecting tomorrow’s Internet and their impact on Media & Society, Digital Divides, and Personal Rights & Freedoms. While preparing to launch the 2019 Global Internet Report, we interviewed Alissa Cooper to hear her perspective on the forces shaping the Internet’s future.

Alissa Cooper is a Fellow at Cisco Systems. She has been serving as the Chair of the Internet Engineering Task Force (IETF) since 2017. Previously, she served three years as an IETF Applications and Real-Time (ART) area director and three years on the Internet Architecture Board (IAB). She also served as the chair of the IANA Stewardship Coordination Group (ICG). At Cisco, Cooper was responsible for driving privacy and policy strategy within the company’s portfolio of real-time collaboration products before being appointed as IETF Chair. Prior to joining Cisco, Cooper served as the Chief Computer Scientist at the Center for Democracy and Technology, where she was a leading public interest advocate and technologist on issues related to privacy, net neutrality, and technical standards. Cooper holds a PhD from the Oxford Internet Institute and MS and BS Continue reading

ExaBGP – handling route withdrawal

In our last post we talked about how we can programmatically talk and listen to ExaBGP. By the end of the post, our Linux server was listening for BGP updates, processing them, and creating static routes based on the information it learned. We worked through some issues to get that far – but also recognized that we had a ways to go. In this post, we’ll start tackling some of the other issues that are lingering with this implementation. So let’s dive right in and start knocking these out!

The first issues I want to talk about isn’t actually an issue anymore – but it’s worth mentioning since we sort of solved it accidentally. At this point – we’ve only processed BGP update messages that have included a single router advertisement. Said more specifically – BGP update messages that included a single NLRI. A BGP update message can (and will) contain multiple NLRI’s so long as the path attributes are the same for all the prefixes. For folks not familiar with BGP – NLRI (Network layer reachability information) are basically the routes or prefixes that are being sent to us. If we go back and look at the BGP update Continue reading

SD-WAN can help solve challenges of multi-cloud

With SD-WAN becoming remote users’ primary access to cloud-based applications, and with organizations deploying multi-cloud environments to optimize performance, it’s important for IT pros to choose SD-WAN technology that supports secure, low-latency and easy-to-manage connectivity to their cloud providers.To read this article in full, please click here(Insider Story)

SD-WAN can help solve challenges of multi-cloud

With SD-WAN becoming remote users’ primary access to cloud-based applications, and with organizations deploying multi-cloud environments to optimize performance, it’s important for IT pros to choose SD-WAN technology that supports secure, low-latency and easy-to-manage connectivity to their cloud providers.To read this article in full, please click here(Insider Story)

SD-WAN can help solve challenges of multi-cloud

With SD-WAN becoming remote users’ primary access to cloud-based applications, and with organizations deploying multi-cloud environments to optimize performance, it’s important for IT pros to choose SD-WAN technology that supports secure, low-latency and easy-to-manage connectivity to their cloud providers.To read this article in full, please click here(Insider Story)

SD-WAN can help solve challenges of multi-cloud

With SD-WAN becoming remote users’ primary access to cloud-based applications, and with organizations deploying multi-cloud environments to optimize performance, it’s important for IT pros to choose SD-WAN technology that supports secure, low-latency and easy-to-manage connectivity to their cloud providers.To read this article in full, please click here(Insider Story)

Operating Cisco ACI the Right Way

This is a guest blog post by Andrea Dainese, senior network and security architect, and author of UNetLab (now EVE-NG) and  Route Reflector Labs. These days you’ll find him busy automating Cisco ACI deployments.

In this post we’ll focus on a simple question that arises in numerous chats I have with colleagues and customers: how should a network engineer operate Cisco ACI? A lot of them don’t use any sort of network automation and manage their Cisco ACI deployments using the Web Interface. Is that good or evil? As you’ll see we have a definite answer and it’s not “it depends”.

Read more ...

BrandPost: Top Ten Reasons to Think Outside the Router #4: Broadband is Used Only for Failover

Continuing our homage to the iconic David Letterman Top Ten List from his former Late Show, Silver Peak is counting down the Top Ten Reasons to Think Outside the Router. Click for the #5, #6, #7, #8, #9 and #10 reasons to replace conventional branch routers with a business-driven SD-WAN platform.To read this article in full, please click here

IBM Cloud Internet Services protects any cloud – now with Cloudflare Spectrum and Workers

At Cloudflare, we have an ambitious mission of helping to build a better Internet. Partnerships are a core part of how we achieve this mission. Last year we joined forces with IBM. Their expertise and deep relationships with the world's largest organizations are highly complementary with Cloudflare's cloud-native, API-first architecture that provides superior security, performance, and availability for Internet-facing workloads.  Our shared goal of enabling and supporting a hybrid and multi-cloud world is becoming a greater component of our combined message to the market.

As we prepare for the IBM Think customer conference in San Francisco this week, the Cloudflare team is excited about the opportunities ahead. We closed 2018 with momentum, bringing several of the world’s leading brands onto the Cloud Internet Services (CIS) platform in 2018. Customers have used CIS for several purposes, including:

  • The CIS Global Load Balancer provides high availability across IBM Cloud regions for customers in Europe, North America, and Latin America
  • CIS caching capabilities have ensured availability and performance for world spectator events with high traffic spikes
  • The CIS authoritative DNS delivers greater availability and performance for Internet-facing workloads supporting thousands of developers

At Think, please visit Cloudflare at our booth (#602). In addition, Continue reading

1 1,274 1,275 1,276 1,277 1,278 3,797