Missing Encryption of Sensitive Data Affecting github.com/docker/docker package, versions >=1.12.0 <20.10.24 >=23.0.0 <23.0.3
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMDOCKERDOCKER-5411355
- published 5 Apr 2023
- disclosed 4 Apr 2023
- credit corhere
Introduced: 4 Apr 2023
CVE-2023-28841 Open this link in a new tabHow to fix?
Upgrade github.com/docker/docker to version 20.10.24, 23.0.3 or higher.
Overview
Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data because iptables rules that enforce both incoming and outgoing IPSec to be encrypted are not created when xt_u32 is unavailable, even though the container is still attached to the network. And so, encrypted overlay networks on affected platforms silently transmit unencrypted data.
As a result, overlay networks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees.
Exploiting this vulnerability allows an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network.
Note: Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Workarounds
Close the VXLAN port (by default, UDP port 4789) to outgoing traffic at the Internet boundary in order to prevent unintentionally leaking unencrypted traffic over the Internet.
Ensure that the
xt_u32kernel module is available on all nodes of the Swarm cluster.