CVE-2014-9357
published 2014-12-16CVE-2014-9357: Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz)…
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
6.45%
92.9th percentile
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | docker.io | < docker.io 1.3.3~dfsg1-1 (bookworm) | docker.io 1.3.3~dfsg1-1 (bookworm) |
| docker | docker | — | — |
| github.com | docker_docker | >= 0 < 1.3.3 | 1.3.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag Docker pull or build operations that unpack LZMA (.xz) archives, especially where the chroot environment for extraction may be escaped. Monitor for unexpected root-level process execution spawned from Docker image extraction workflows. ↗
- →Only Docker 1.3.2 is vulnerable. Identify hosts running Docker 1.3.2 as a priority for investigation and patching. ↗
- ·The vulnerability is specific to Docker 1.3.2 only; the chroot-for-archive-extraction feature introduced in that version is the root cause. Docker 1.3.3 and later are not affected. ↗
- ·Red Hat notes this flaw is not known to be exploitable under any supported scenario when untrusted images are not used, but still recommends upgrading. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Arbitrary Code Execution in github.com/docker/docker
osv·2024-08-21
CVE-2014-9357 Arbitrary Code Execution in github.com/docker/docker
Arbitrary Code Execution in github.com/docker/docker
Arbitrary Code Execution in github.com/docker/docker
GHSA
Arbitrary Code Execution
ghsa·2022-02-15
CVE-2014-9357 [HIGH] CWE-285 Arbitrary Code Execution
Arbitrary Code Execution
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.
OSV
Arbitrary Code Execution
osv·2022-02-15
CVE-2014-9357 [HIGH] Arbitrary Code Execution
Arbitrary Code Execution
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.
OSV
CVE-2014-9357: Docker 1
osv·2014-12-16·CVSS 10.0
CVE-2014-9357 [CRITICAL] CVE-2014-9357: Docker 1
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.
Red Hat
docker: Escalation of privileges during decompression of LZMA archives
vendor_redhat·2014-12-11·CVSS 10.0
CVE-2014-9357 [CRITICAL] docker: Escalation of privileges during decompression of LZMA archives
docker: Escalation of privileges during decompression of LZMA archives
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.
A flaw was found in the way the Docker service unpacked images or builds after a "docker pull". An attacker could use this flaw to provide a malicious image or build that, when unpacked, would escalate their privileges on the system.
Statement: This issue affects the versions of Docker as shipped with Red Hat Enterprise Linux 7. However, this flaw is not known to be exploitable under any supported scenario. A future update may address this issue.
Red Hat does not support or recommend running untrusted images.
Debian
CVE-2014-9357: docker.io - Docker 1.3.2 allows remote attackers to execute arbitrary code with root privile...
vendor_debian·2014·CVSS 10.0
CVE-2014-9357 [CRITICAL] CVE-2014-9357: docker.io - Docker 1.3.2 allows remote attackers to execute arbitrary code with root privile...
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build in a Dockerfile in an LZMA (.xz) archive, related to the chroot for archive extraction.
Scope: local
bookworm: resolved (fixed in 1.3.3~dfsg1-1)
bullseye: resolved (fixed in 1.3.3~dfsg1-1)
forky: resolved (fixed in 1.3.3~dfsg1-1)
sid: resolved (fixed in 1.3.3~dfsg1-1)
trixie: resolved (fixed in 1.3.3~dfsg1-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [epel-6]
bugzilla·2014-12-11·CVSS 8.6
CVE-2014-9357 [HIGH] CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [epel-6]
CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for docker-io: see blocks bug lis
Bugzilla
CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [fedora-all]
bugzilla·2014-12-11·CVSS 8.6
CVE-2014-9357 [HIGH] CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [fedora-all]
CVE-2014-9357 CVE-2014-9356 CVE-2014-9358 docker-io: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions o
Bugzilla
CVE-2014-9357 docker: Escalation of privileges during decompression of LZMA archives
bugzilla·2014-12-10·CVSS 10.0
CVE-2014-9357 [CRITICAL] CVE-2014-9357 docker: Escalation of privileges during decompression of LZMA archives
CVE-2014-9357 docker: Escalation of privileges during decompression of LZMA archives
Docker Inc. has discovered an issue whereby a malicious image could execute arbitrary code when being unpacked automatically after a "docker pull". From the Docker Inc report:
"It has been discovered that the introduction of chroot for archive extraction in Docker 1.3.2 had introduced a privilege escalation vulnerability. Malicious images or builds from malicious Dockerfiles could escalate privileges and execute arbitrary code as a root user on the Docker host by providing a malicious ‘xz’ binary.
We are releasing Docker 1.3.3 to address this vulnerability. Only Docker 1.3.2 is vulnerable. Users are highly encouraged to upgrade."
Discussion:
Statement:
This issue affects the versions of Docker as shi
2014-12-16
Published