Security & Compliance Blog

Find and Fix Docker Doomsday with BMC

Roger Hellman
by Roger Hellman
2 minute read

Benjamin Franklin once said that “an ounce of prevention is worth a pound of cure.”

That quote is true today just like it was in the 1700’s, and while he was actually talking about fire safety (some believe he was referring to staying healthy – not true), Mr. Franklin could just as easily have been talking about protecting against security vulnerabilities, including a new and very dangerous one, Docker Doomsday.

What is Docker Doomsday?

The Docker Doomsday vulnerability affects almost any organization using Docker and containers. Here’s a quick look at what it does. First, an attacker infects a container with a malicious program. The malicious code exploits a flaw in runc, which is the container runtime utility for Docker and Kubernetes.

Next, the malicious code breaks out and infects the entire container host, and spreads to potentially thousands of other containers running on that host. This is a Doomsday scenario because the attack can ultimately affect many interconnected, production systems.

How bad is Docker Doomsday?

Well, it’s CVE 2019-5736 and has an overall Common Vulnerability Scoring System (CVSS) value of 8.6, that’s on a scale of 1-10 where 10 is as bad as it gets. Another perspective comes from RedHat. They classified it as “Important Impact”, a category reserved for vulnerabilities that can lead to unauthorized access to sensitive data, or a denial of service.

How to Solve for Docker Doomsday

Now the good news. Since the leading security vulnerability scanners (such as Qualys and Nessus) can find Docker Doomsday, you can run a scan and automatically import the vulnerability data into TrueSight Vulnerability Management. There you can analyze it and leverage its integration with TrueSight Server Automation to fix it, either on-premises or in the cloud. If you want to go one step further, use BMC Helix Discovery to find “blind spots” (cloud-based Docker instances that the scanners missed) to obtain a complete picture of where Docker Doomsday exists.

If you are in Cloud Operations and use TrueSight Cloud Security, you can scan your Docker instances and containers, find Docker Doomsday, and fix it with a security patch using TrueSight Server Automation.

Thinking back to Benjamin Franklin, your ounce of prevention is patching with BMC TrueSight Server Automation. But do it soon, time favors the attacker, not the defender.

Data Security in the Digital Age

Have a look at this short white paper and learn more about how BMC can help you manage security vulnerabilities as well as compliance, and remediation.
Read now ›

These postings are my own and do not necessarily represent BMC's position, strategies, or opinion.

See an error or have a suggestion? Please let us know by emailing blogs@bmc.com.

About the author

Roger Hellman

Roger Hellman

Roger Hellman is a Director in Solutions Marketing and has many years of experience in Security, Automation, Discovery, and IT Service Management. During his career he has worked in Marketing, Sales, Product Development, Engineering and Finance. Roger enjoys working with our sales team and customers to help solve the challenges we all face together.