CVE-2017-14992 in Docker-CE
Summary
by MITRE
Lack of content verification in Docker-CE (Also known as Moby) versions 1.12.6-0, 1.10.3, 17.03.0, 17.03.1, 17.03.2, 17.06.0, 17.06.1, 17.06.2, 17.09.0, and earlier allows a remote attacker to cause a Denial of Service via a crafted image layer payload, aka gzip bombing.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/05/2023
The vulnerability identified as CVE-2017-14992 represents a critical weakness in Docker Community Edition and Moby container platforms affecting multiple versions from 1.10.3 through 17.09.0. This flaw stems from insufficient validation of content within image layer payloads during the decompression process, creating a path for malicious actors to exploit the system through carefully crafted gzip compressed data. The vulnerability specifically targets the decompression mechanism used by Docker to process container image layers, where the system fails to adequately verify the integrity and size constraints of incoming compressed data before decompressing it.
The technical nature of this vulnerability aligns with CWE-400, which categorizes issues related to resource exhaustion through uncontrolled resource consumption. Attackers can leverage this weakness by creating malicious Docker image layers containing compressed payloads that, when decompressed, consume excessive system resources such as memory and CPU cycles. The gzip bombing technique exploits the inherent properties of compressed data where a small input file can produce an extraordinarily large output, allowing an attacker to craft a compressed payload that expands to consume massive amounts of system resources during the decompression phase.
From an operational impact perspective, this vulnerability enables remote attackers to execute denial of service attacks against Docker hosts by simply pushing a specially crafted image to a registry or pulling a malicious image onto a host system. The attack requires minimal privileges and can be executed from any location with access to the Docker registry or network connectivity to the target host. Successful exploitation results in resource exhaustion, system instability, and potential complete service disruption. The vulnerability affects both the Docker daemon and the underlying host system, making it particularly dangerous in containerized environments where multiple containers may be running simultaneously.
The attack vector specifically targets the decompression process within Docker's image handling pipeline, where the system accepts compressed image layers without proper validation of the decompressed content size or resource consumption patterns. This weakness exists because Docker's implementation does not enforce reasonable limits on decompression ratios or monitor resource usage during the decompression process. The vulnerability is particularly concerning in cloud environments and shared hosting scenarios where multiple users may have access to the same Docker host, creating opportunities for coordinated denial of service attacks that could impact entire infrastructure components.
Organizations should implement immediate mitigations including updating to patched versions of Docker Community Edition and Moby where available, implementing resource limits on container deployments, and monitoring for unusual decompression patterns or resource consumption spikes. Network-level controls can be deployed to restrict access to known malicious registries and implement rate limiting on image pull operations. The implementation of Docker content trust and image scanning tools can provide additional layers of protection by validating image integrity before deployment. Security teams should also consider implementing runtime monitoring solutions that can detect anomalous decompression behavior and automatically isolate potentially malicious containers. This vulnerability highlights the importance of proper input validation and resource management in containerized environments, aligning with ATT&CK technique T1499 which covers resource exhaustion attacks and the broader category of container escape techniques that can be leveraged for denial of service operations.