SB2019110702 - Amazon Linux AMI update for docker
Published: November 7, 2019
Security Bulletin ID
SB2019110702
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Local access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Command Injection (CVE-ID: CVE-2019-13139)
CWE-ID: CWE-77 - Command injection
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
The vulnerability allows a local attacker to inject and execute arbitrary commands on the target system.
The vulnerability exists due to the affected software misinterprets the "git ref" command as a flag. A local authenticated user who is able to execute the "docker build" command and has control over the build path can inject and execute arbitrary commands on the target system.
2) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2019-13509)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local attacker to access sensitive information on a targeted system.
The vulnerability exists due to the software can add secrets to the debug log when the "docker stack deploy" command is used while running in debug mode to redeploy a stack which includes non-external secrets. A local authenticated attacker can gain access to sensitive information, such as secrets in the log files on a targeted system.
Remediation
Install update from vendor's website.