Updating your Docker for Shellshock
Learn how to update Docker containers to protect against the Shellshock vulnerability. Follow these steps to secure your containers and check for vulnerabilities.
What a week. Starting my workday early Thursday (25 September) morning, I came across a tweet from someone I follow saying that he spent the entire night updating his Linux systems. Hmm, this doesn't look good. After quickly getting up to speed with the Shellshock Bug it was time to make a plan.
Reviewing the Landscape
I quickly evaluated all my web servers spread around the world and made a plan to update them. Updating my web servers was relatively uneventful and fast, but it required quite some time to SSH to each one and run the commands.
Since my last article about launching a Dockerized Blog solution, this adds a new aspect to updating Docker for this Bash patch as I need to update the base Docker image.
I have 3 Docker containers:
- 1 x NGINX Proxy
- 2 x Nodejs + Ghost CMS
How to update Docker Images & Containers
I deployed a new container for both the NGINX Proxy and Ghost CMS. I started both containers in interactive mode with /bin/bash enabled. I then updated Bash inside the containers, Committed the Container as a new image, and deployed the new image.
So let's take a look at the process step-by-step:
- Deploy a new Docker container for both NGINX and Ghost
NGINX ->docker run -i -p 80:80 -v \ /var/run/docker.sock:/tmp/docker.sock \
--name proxy jwilder/nginx-proxy /bin/bash
Once the container is running and you are attached run:apt-get update
apt-get install --only-upgrade bash - Now repeat the process for the Ghost containers
Ghost ->docker run -i -p 49157:2368 -v \ /var/docker/directory_name:/ghost-override \
-e VIRTUAL_HOST=www.example.com \
dockerfile/ghost /bin/bash
apt-get update
apt-get install --only-upgrade bash - Next, let's commit the containers as new Docker Images.
docker commit -m"Updated Bash" -a="Brian" \
proxy jwilder/nginx-proxy:v2 - Repeat the process for the Ghost image by changing the image and container names in the command.
- Stop the running containers for proxy and Ghost
docker stop proxy ghost1 ghost2
- Deploy the newly created proxy container
docker run -i -p 80:80 -v \ /var/run/docker.sock:/tmp/docker.sock \
--name proxy jwilder/nginx-proxy:v2 forego start -r - Same for the Ghost image
docker run -i -p 49157:2368 -v \ /var/docker/directory_name:/ghost-override \
-e VIRTUAL_HOST=www.example.com \
dockerfile/ghost bash /ghost-start
Happy Dockering!
What is the Shellshock vulnerability?
Shellshock is a security vulnerability in the Bash shell, found in Unix-based systems like Linux. It allows attackers to execute malicious code remotely, posing a serious risk to servers and containers running affected versions of Bash.
How does Shellshock affect Docker containers?
Docker containers using vulnerable versions of Bash are at risk of being exploited through the Shellshock vulnerability. If attackers gain access to a container's shell, they can execute arbitrary code, potentially compromising the container and the host system.
How can I check if my Docker containers are vulnerable to Shellshock?
To check for Shellshock vulnerability, run the following command inside your container:
bashCopy codeenv x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If your system outputs “vulnerable,” you need to update Bash immediately. If it’s secure, it will return “this is a test” without the vulnerable message.
How do I update my Docker containers to protect against Shellshock?
To update your Docker containers, start by pulling the latest versions of the base images that include a patched version of Bash. Then, rebuild and redeploy your containers to ensure they’re running with the secure version. You can also update Bash directly within the container using the package manager (e.g., apt-get update && apt-get install --only-upgrade bash
).
What steps can I take to secure my Docker containers against future vulnerabilities?
Regularly update your Docker images and base containers, apply security patches, and use automated tools like Docker Bench for Security to scan for vulnerabilities. Limiting container privileges and using features like Docker’s built-in security flags can further reduce risks.
Follow me
If you liked this article, be sure to Follow Me on Twitter to stay updated!