CVE-2017-14388: GrootFS doesn't validate DiffIDs


Molly Crowther
 

Apologies for posting this late but wanted it out before Friday morning (pacific time) for Europe folks. The fix is already committed so I didn't want to wait until Monday.

Please let us know if you have any questions or concerns!

Thank you,
Molly Crowther
CFF Security Team


Molly Crowther
 

FYI -

You are only vulnerable to this if you are using GrootFS and are enabling developers to push docker containers to the platform. You need developer privileges to exploit.

Molly


On Thu, Nov 9, 2017 at 4:28 PM Molly Crowther <mcrowther@...> wrote:
Apologies for posting this late but wanted it out before Friday morning (pacific time) for Europe folks. The fix is already committed so I didn't want to wait until Monday.

Please let us know if you have any questions or concerns!

Thank you,
Molly Crowther
CFF Security Team