CVE-2016-6349: Infoleak
Once docker containers register themselves to systemd-machined by oci-register-machine, any unprivileged user could run machinectl to list every single container running in the host even if the containers do not belong to this user (including containers belong to the root user), and access sensitive information associated with any individual container including its internal IP address, OS version, running processes, and file path for its rootfs. $ machinectl status cc8d10c7b9892b75843d200d54d34a3a cc8d10c7b9892b75843d200d54d34a3a(63633864313063376239383932623735) Since: Mon 2016-07-25 17:55:36 UTC; 34s ago Leader: 43494 (sleep) Service: docker; class container Root: /var/mnt/overlay/overlay/0429684e3da515ae4f11b8514c7b20f759613 Address: 172.17.0.2 fe80::42:acff:fe11:2 OS: Red Hat Enterprise Linux Server 7.2 (Maipo) Unit: docker-cc8d10c7b9892b75843d200d54d34a3a9435fe0f65527c254ebfd2d └─43494 sleep 3000 CVE request: http://seclists.org/oss-sec/2016/q3/156
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2016-6349?
CVE-2016-6349 has a medium severity rating as it allows unprivileged users to list and potentially access sensitive information from Docker containers.
How do I fix CVE-2016-6349?
To mitigate CVE-2016-6349, ensure that only trusted users have permissions to run the oci-register-machine command and review your Docker container security settings.
What systems are affected by CVE-2016-6349?
CVE-2016-6349 specifically affects the Projectatomic oci-register-machine tool that interacts with systemd-machined.
Can CVE-2016-6349 be exploited remotely?
CVE-2016-6349 cannot be exploited remotely as it requires local access to execute the machinectl command.
What are the potential impacts of CVE-2016-6349?
The potential impacts of CVE-2016-6349 include unauthorized access to sensitive data from Docker containers running on the same host.