CVE-2017-16539

Published: 04 November 2017

The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
docker.io
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 18.04 LTS (Bionic Beaver)
Released (18.06.1-0ubuntu1~18.04.1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (18.06.1-0ubuntu1~16.04.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [code not present])
Patches:
Upstream: https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1