Blog Post

New Docker release helps users avoid the Poodle bug

If you already loaded up Docker 1.3, which came out a few weeks ago, Docker wants you to update to Docker 1.3.1 so as to avoid the Poodle bug, the company detailed in a security advisory on Thursday.

The Poodle bug takes advantage of a security flaw that surfaces when a secure network connection between a browser and a website takes place; in this case, browsers try to reestablish connections with websites through an old-and- flawed version of the security protocol SSL 3.0, making them open to an attack. A host of companies like [company]Google[/company], [company]Mozilla[/company] and [company]Twitter[/company] have said they will no longer support this protocol.

The same sort of vulnerability can occur within the Docker engine and docker-py, an API client that lets Python users communicate with Docker. Essentially, if for some reason the Docker engine and the API client fail to connect with a registry on the first try, the next time it tries to connect it will do so using an HTTP connection as opposed to an HTTPS connection; this makes it less secure and could “force registry connections into using insecure communications to transmit authentication and image data.”

From the forum post:
[blockquote person=”Docker” attribution=”Docker”]Communications between the Docker client and daemon and between the Docker daemon and the registry may be vulnerable to the POODLE attack as described in CVE-2014-3566. In response, both client and server support for SSLv3 has been disabled in Docker 1.3.1. Instead, both clients communicating with the Docker Remote API and private registry servers should support TLS 1.0 or greater.[/blockquote]

The error was spotted by Docker founder and CTO Solomon Hykes along with Red Hat product security researcher Florian Weimer.

By upgrading to the new Docker 1.3.1, users can supposedly avoid getting bit by the Poodle bug.

Post and thumbnail images courtesy of Flickr user Greg Westall.