If we didn’t have enough fun already with Heartbleed, security experts want to keep us entertained with the recently disclosed Shellshock bug. In summary, Shellshock is a set of vulnerabilities discovered in how bash parses environment variables which a malicious user can exploit to execute arbitrary code on the effected system.
How does this affect my containers?
If your Docker images are using a base image (ubuntu, centos, debian, fedora…) with a version of Bash affected by the vulnerabilities, an attacker could potentially compromise the application that is running on top of it.
Which base images are affected?
At the time of writing this blog post, using the tests provided by Shellshocker.net, this table depicts the status of Docker’s base images:
This table has been created with the help of a small script I created available in GitHub. You can use it to test your own images.
How can I fix my images?
First, make sure you rebuild it using the latest version of the base image. If your image is a trusted build, you can use repository links to make sure that the Docker Hub rebuilds your image whenever the base image is updated, so you can benefit from any bug fixes that are applied to it by the Docker team.
Second, as you might notice, not all base images have been patched for all discovered vulnerabilities. This is because either the official repositories have not yet been updated, or the release is no longer maintained (for example: Ubuntu Saucy, Raring and Quantal). In this case, you can rebuild bash from source and patch it manually. Shellsocker.net also provide a shell script to automate this process. If your application requires a release that is no longer maintained, you can update your Dockerfile to automatically include building the latest release of bash in your image.
Right after the first bug was disclosed (CVE-2014-6271, the “original” Shellshock bug), several other related bugs were found while investigating the original design flaw. The last patch has been published just 4 days ago, so it is likely that new bugs and new patches are yet to come.