Security update for docker SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20259-1 Final 1 1 2025-03-31T16:54:11Z current 2025-03-31T16:54:11Z 2025-03-31T16:54:11Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for docker This update for docker fixes the following issues: - This update includes fixes for: * CVE-2024-41110: Fixed Authz zero length regression (bsc#1228324) * CVE-2023-47108: Fixed otelgrpc: DoS vulnerability in otelgrpc (uncontrolled resource consumption) due to unbound cardinality (bsc#1217070 bsc#1229806) * CVE-2023-45142: Fixed otelhttp,otelhttptrace,otelrestful: DoS vulnerability (bsc#1228553 bsc#1229806) - Update to Docker 27.5.1-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/27/#2741> bsc#1237335 - Update to docker-buildx 0.20.1. See upstream changelog online at <https://github.com/docker/buildx/releases/tag/v0.20.1> - Update to Docker 27.4.1-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/27/#2741> - Update to docker-buildx 0.19.3. See upstream changelog online at <https://github.com/docker/buildx/releases/tag/v0.19.3> - Update to Docker 27.4.0-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/27/#274> <https://github.com/docker/buildx/releases/tag/v0.19.2>. Some notable changelogs from the last update: * <https://github.com/docker/buildx/releases/tag/v0.19.0> * <https://github.com/docker/buildx/releases/tag/v0.18.0> - Update to Go 1.22. - Add a new toggle file /etc/docker/suse-secrets-enable which allows users to disable the SUSEConnect integration with Docker (which creates special mounts in /run/secrets to allow container-suseconnect to authenticate containers with registries on registered hosts). bsc#1231348 bsc#1232999 In order to disable these mounts, just do echo 0 > /etc/docker/suse-secrets-enable and restart Docker. In order to re-enable them, just do echo 1 > /etc/docker/suse-secrets-enable and restart Docker. Docker will output information on startup to tell you whether the SUSE secrets feature is enabled or not. - Disable docker-buildx builds for SLES. It turns out that build containers with docker-buildx don't currently get the SUSE secrets mounts applied, meaning that container-suseconnect doesn't work when building images. bsc#1233819 - Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from sysconfig a long time ago, and apparently this causes issues with systemd in some cases. - Update to docker-buildx v0.17.1 to match standalone docker-buildx package we are replacing. See upstream changelog online at <https://github.com/docker/buildx/releases/tag/v0.17.1> - Mark docker-buildx as required since classic "docker build" has been deprecated since Docker 23.0. bsc#1230331 - Import docker-buildx v0.16.2 as a subpackage. Previously this was a separate package, but with docker-stable it will be necessary to maintain the packages together and it makes more sense to have them live in the same OBS package. bsc#1230333 - Update to Docker 26.1.5-ce. See upstream changelog online at <https://docs.docker.com/engine/release-notes/26.1/#2615> bsc#1230294 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-37 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520259-1/ Link for SUSE-SU-2025:20259-1 https://lists.suse.com/pipermail/sle-security-updates/2025-June/021059.html E-Mail link for SUSE-SU-2025:20259-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1217070 SUSE Bug 1217070 https://bugzilla.suse.com/1223409 SUSE Bug 1223409 https://bugzilla.suse.com/1228324 SUSE Bug 1228324 https://bugzilla.suse.com/1228553 SUSE Bug 1228553 https://bugzilla.suse.com/1229806 SUSE Bug 1229806 https://bugzilla.suse.com/1230294 SUSE Bug 1230294 https://bugzilla.suse.com/1230331 SUSE Bug 1230331 https://bugzilla.suse.com/1230333 SUSE Bug 1230333 https://bugzilla.suse.com/1231348 SUSE Bug 1231348 https://bugzilla.suse.com/1232999 SUSE Bug 1232999 https://bugzilla.suse.com/1233819 SUSE Bug 1233819 https://bugzilla.suse.com/1234089 SUSE Bug 1234089 https://bugzilla.suse.com/1237335 SUSE Bug 1237335 https://www.suse.com/security/cve/CVE-2023-45142/ SUSE CVE CVE-2023-45142 page https://www.suse.com/security/cve/CVE-2023-47108/ SUSE CVE CVE-2023-47108 page https://www.suse.com/security/cve/CVE-2024-29018/ SUSE CVE CVE-2024-29018 page https://www.suse.com/security/cve/CVE-2024-41110/ SUSE CVE CVE-2024-41110 page SUSE Linux Micro 6.1 docker-27.5.1_ce-slfo.1.1_1.1 docker-27.5.1_ce-slfo.1.1_1.1 as a component of SUSE Linux Micro 6.1 OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. A handler wrapper out of the box adds labels `http.user_agent` and `http.method` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent to it. HTTP header User-Agent or HTTP method for requests can be easily set by an attacker to be random and long. The library internally uses `httpconv.ServerRequest` that records every value for HTTP `method` and `User-Agent`. In order to be affected, a program has to use the `otelhttp.NewHandler` wrapper and not filter any unknown HTTP methods or User agents on the level of CDN, LB, previous middleware, etc. Version 0.44.0 fixed this issue when the values collected for attribute `http.request.method` were changed to be restricted to a set of well-known values and other high cardinality attributes were removed. As a workaround to stop being affected, `otelhttp.WithFilter()` can be used, but it requires manual careful configuration to not log certain requests entirely. For convenience and safe usage of this library, it should by default mark with the label `unknown` non-standard HTTP methods and User agents to show that such requests were made but do not increase cardinality. In case someone wants to stay with the current behavior, library API should allow to enable it. CVE-2023-45142 SUSE Linux Micro 6.1:docker-27.5.1_ce-slfo.1.1_1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520259-1/ https://www.suse.com/security/cve/CVE-2023-45142.html CVE-2023-45142 https://bugzilla.suse.com/1228553 SUSE Bug 1228553 OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemetry-Go. Prior to version 0.46.0, the grpc Unary Server Interceptor out of the box adds labels `net.peer.sock.addr` and `net.peer.sock.port` that have unbound cardinality. It leads to the server's potential memory exhaustion when many malicious requests are sent. An attacker can easily flood the peer address and port for requests. Version 0.46.0 contains a fix for this issue. As a workaround to stop being affected, a view removing the attributes can be used. The other possibility is to disable grpc metrics instrumentation by passing `otelgrpc.WithMeterProvider` option with `noop.NewMeterProvider`. CVE-2023-47108 SUSE Linux Micro 6.1:docker-27.5.1_ce-slfo.1.1_1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520259-1/ https://www.suse.com/security/cve/CVE-2023-47108.html CVE-2023-47108 https://bugzilla.suse.com/1217070 SUSE Bug 1217070 Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. Moby's networking implementation allows for many networks, each with their own IP address range and gateway, to be defined. This feature is frequently referred to as custom networks, as each network can have a different driver, set of parameters and thus behaviors. When creating a network, the `--internal` flag is used to designate a network as _internal_. The `internal` attribute in a docker-compose.yml file may also be used to mark a network _internal_, and other API clients may specify the `internal` parameter as well. When containers with networking are created, they are assigned unique network interfaces and IP addresses. The host serves as a router for non-internal networks, with a gateway IP that provides SNAT/DNAT to/from container IPs. Containers on an internal network may communicate between each other, but are precluded from communicating with any networks the host has access to (LAN or WAN) as no default route is configured, and firewall rules are set up to drop all outgoing traffic. Communication with the gateway IP address (and thus appropriately configured host services) is possible, and the host may communicate with any container IP directly. In addition to configuring the Linux kernel's various networking features to enable container networking, `dockerd` directly provides some services to container networks. Principal among these is serving as a resolver, enabling service discovery, and resolution of names from an upstream resolver. When a DNS request for a name that does not correspond to a container is received, the request is forwarded to the configured upstream resolver. This request is made from the container's network namespace: the level of access and routing of traffic is the same as if the request was made by the container itself. As a consequence of this design, containers solely attached to an internal network will be unable to resolve names using the upstream resolver, as the container itself is unable to communicate with that nameserver. Only the names of containers also attached to the internal network are able to be resolved. Many systems run a local forwarding DNS resolver. As the host and any containers have separate loopback devices, a consequence of the design described above is that containers are unable to resolve names from the host's configured resolver, as they cannot reach these addresses on the host loopback device. To bridge this gap, and to allow containers to properly resolve names even when a local forwarding resolver is used on a loopback address, `dockerd` detects this scenario and instead forward DNS requests from the host namework namespace. The loopback resolver then forwards the requests to its configured upstream resolvers, as expected. Because `dockerd` forwards DNS requests to the host loopback device, bypassing the container network namespace's normal routing semantics entirely, internal networks can unexpectedly forward DNS requests to an external nameserver. By registering a domain for which they control the authoritative nameservers, an attacker could arrange for a compromised container to exfiltrate data by encoding it in DNS queries that will eventually be answered by their nameservers. Docker Desktop is not affected, as Docker Desktop always runs an internal resolver on a RFC 1918 address. Moby releases 26.0.0, 25.0.4, and 23.0.11 are patched to prevent forwarding any DNS requests from internal networks. As a workaround, run containers intended to be solely attached to internal networks with a custom upstream address, which will force all upstream DNS queries to be resolved from the container's network namespace. CVE-2024-29018 SUSE Linux Micro 6.1:docker-27.5.1_ce-slfo.1.1_1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520259-1/ https://www.suse.com/security/cve/CVE-2024-29018.html CVE-2024-29018 https://bugzilla.suse.com/1234089 SUSE Bug 1234089 Moby is an open-source project created by Docker for software containerization. A security vulnerability has been detected in certain versions of Docker Engine, which could allow an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low. Using a specially-crafted API request, an Engine API client could make the daemon forward the request or response to an authorization plugin without the body. In certain circumstances, the authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it. A security issue was discovered In 2018, where an attacker could bypass AuthZ plugins using a specially crafted API request. This could lead to unauthorized actions, including privilege escalation. Although this issue was fixed in Docker Engine v18.09.1 in January 2019, the fix was not carried forward to later major versions, resulting in a regression. Anyone who depends on authorization plugins that introspect the request and/or response body to make access control decisions is potentially impacted. Docker EE v19.03.x and all versions of Mirantis Container Runtime are not vulnerable. docker-ce v27.1.1 containes patches to fix the vulnerability. Patches have also been merged into the master, 19.03, 20.0, 23.0, 24.0, 25.0, 26.0, and 26.1 release branches. If one is unable to upgrade immediately, avoid using AuthZ plugins and/or restrict access to the Docker API to trusted parties, following the principle of least privilege. CVE-2024-41110 SUSE Linux Micro 6.1:docker-27.5.1_ce-slfo.1.1_1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520259-1/ https://www.suse.com/security/cve/CVE-2024-41110.html CVE-2024-41110 https://bugzilla.suse.com/1228324 SUSE Bug 1228324