{"id":3873,"date":"2024-07-25T12:02:30","date_gmt":"2024-07-25T17:02:30","guid":{"rendered":"https:\/\/cert.pa\/?p=3873"},"modified":"2024-07-25T12:05:01","modified_gmt":"2024-07-25T17:05:01","slug":"aviso-de-seguridad-de-docker","status":"publish","type":"post","link":"https:\/\/cert.pa\/?p=3873","title":{"rendered":"CSIRT Panam\u00e1 Aviso 2024-Jul-25 Aviso de seguridad de Docker Engine"},"content":{"rendered":"\n<p>Gravedad: <strong>Alta\u00a0<\/strong><\/p>\n\n\n\n<p>Fecha de publicaci\u00f3n: julio 25, 2024<br>\u00daltima revisi\u00f3n: julio 25, 2024<\/p>\n\n\n\n<p>Sitio web:&nbsp;https:\/\/www.docker.com\/<\/p>\n\n\n\n<p><strong>Sistemas Afectados:<\/strong><\/p>\n\n\n\n<p>Ciertas versiones de Docker Engine<\/p>\n\n\n\n<p class=\"has-medium-font-size\">\u00b7&nbsp; versi\u00f3n 19.03.15<\/p>\n\n\n\n<p class=\"has-medium-font-size\">\u00b7&nbsp; versi\u00f3n 20.10.27<\/p>\n\n\n\n<p class=\"has-medium-font-size\">\u00b7&nbsp; versi\u00f3n 23.0.14<\/p>\n\n\n\n<p class=\"has-medium-font-size\">\u00b7&nbsp; versi\u00f3n 24.0.9<\/p>\n\n\n\n<p class=\"has-medium-font-size\">\u00b7&nbsp; versi\u00f3n 25.0.5<\/p>\n\n\n\n<p class=\"has-medium-font-size\">\u00b7&nbsp; versi\u00f3n 26.0.2<\/p>\n\n\n\n<p class=\"has-medium-font-size\">\u00b7&nbsp; versi\u00f3n 26.1.4<\/p>\n\n\n\n<p class=\"has-medium-font-size\">\u00b7&nbsp; versi\u00f3n 27.0.3<\/p>\n\n\n\n<p class=\"has-medium-font-size\">\u00b7&nbsp; versi\u00f3n 27.1.0<\/p>\n\n\n\n<p><strong>Descripci\u00f3n<\/strong><\/p>\n\n\n\n<p>Algunas versiones de Docker Engine tienen una vulnerabilidad de seguridad que podr\u00eda permitir a un atacante eludir los complementos de autorizaci\u00f3n (AuthZ) en determinadas circunstancias.<\/p>\n\n\n\n<p>Se identific\u00f3 en abril de 2024 y se publicaron parches para las versiones afectadas el 23 de julio de 2024. El problema se asign\u00f3 como CVE-2024-41110 .<\/p>\n\n\n\n<p><strong>Impacto<\/strong><\/p>\n\n\n\n<p>CVE-2024-41110:<\/p>\n\n\n\n<p>Omisi\u00f3n de AuthZ y escalada de privilegios: Un atacante podr\u00eda explotar esta vulnerabilidad enviando una solicitud de API con el campo Content-Length establecido en 0. Esto har\u00eda que el demonio Docker reenv\u00ede la solicitud sin el cuerpo al complemento AuthZ, lo que podr\u00eda resultar en la aprobaci\u00f3n incorrecta de la solicitud.<\/p>\n\n\n\n<p><strong>Referencia a soluciones, herramientas e informaci\u00f3n<\/strong><\/p>\n\n\n\n<p>Actualizar el motor Docker, si est\u00e1 ejecutando una versi\u00f3n afectada, actual\u00edcela a la versi\u00f3n parcheada m\u00e1s reciente.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Docker Engine:<\/strong>\u00a0versi\u00f3n 27.1.1 o superior.<\/li>\n\n\n\n<li><strong>Docker Desktop:\u00a0<\/strong>versi\u00f3n 4.33 o superior.<\/li>\n<\/ul>\n\n\n\n<p>Aseg\u00farese de que no se utilicen complementos de AuthZ y no expongan la API de Docker a trav\u00e9s de TCP sin protecci\u00f3n.<\/p>\n\n\n\n<p><strong>Fuentes:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024-41110\">https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2024-41110<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.docker.com\/blog\/docker-security-advisory-docker-engine-authz-plugin\/\">https:\/\/www.docker.com\/blog\/docker-security-advisory-docker-engine-authz-plugin\/<\/a><\/li>\n<\/ol>\n\n\n\n<p><strong>Informaci\u00f3n de contacto<\/strong><br>CSIRT PANAMA<br>Computer Security Incident Response Team Autoridad Nacional para la Innovacion Gubernamental<br>E-Mail: info@cert.pa<br>Phone: +507 520-CERT (2378)<br>Web: https:\/\/cert.pa<br>Twitter: @CSIRTPanama<br>Key ID: 16F2B124<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Gravedad: Alta\u00a0 Fecha de publicaci\u00f3n: julio 25, 2024\u00daltima revisi\u00f3n: julio 25, 2024 Sitio web:&nbsp;https:\/\/www.docker.com\/ Sistemas Afectados: Ciertas versiones de Docker Engine \u00b7&nbsp; versi\u00f3n 19.03.15 \u00b7&nbsp; versi\u00f3n 20.10.27 \u00b7&nbsp; versi\u00f3n 23.0.14 \u00b7&nbsp; versi\u00f3n 24.0.9 \u00b7&nbsp; versi\u00f3n&#8230;<\/p>\n","protected":false},"author":4,"featured_media":3876,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[4],"tags":[43,8,72,68],"class_list":["post-3873","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-avisos-de-seguridad","tag-alertas","tag-avisos","tag-avisos-de-seguridad","tag-vulnerabilidades"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/3873","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3873"}],"version-history":[{"count":3,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/3873\/revisions"}],"predecessor-version":[{"id":3879,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/3873\/revisions\/3879"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/media\/3876"}],"wp:attachment":[{"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}