Unprotected Alternate Channel Affecting github.com/docker/docker package, versions >=1.12.0 <20.10.24 >=23.0.0 <23.0.3
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMDOCKERDOCKER-5411364
- published 5 Apr 2023
- disclosed 4 Apr 2023
- credit corhere
Introduced: 4 Apr 2023
CVE-2023-28842 Open this link in a new tabHow to fix?
Upgrade github.com/docker/docker to version 20.10.24, 23.0.3 or higher.
Overview
Affected versions of this package are vulnerable to Unprotected Alternate Channel. Encrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams.
Note: Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Workarounds
In multi-node clusters, deploy a global ‘pause’ container for each encrypted overlay network, on every node. For example, use the
registry.k8s.io/pauseimage and a--mode globalservice.For a single-node cluster, do not use overlay networks of any sort. Bridge networks provide the same connectivity on a single node and have no multi-node features. The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in
hostmode instead ofingressmode (allowing the use of an external load balancer), and removing theingressnetwork.If encrypted overlay networks are in exclusive use, block UDP port 4789 from traffic that has not been validated by IPSec. For example,
iptables -A INPUT -m udp —-dport 4789 -m policy --dir in --pol none -j DROP.