Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
[18.09] backport fix denial of service with large numbers in cpuset-cpus and cpuset-mems #70
Backport of moby#37967 for 18.09
cherry-pick was clean; no conflicts
Using a value such as
Reported by Huawei PSIRT.
- Description for the changelog
* Fix denial of service with large numbers in `--cpuset-cpus` and `--cpuset-mems`
Oct 11, 2018
5 checks passed
This is CVE-2018-20699. However, I do not believe this issue deserves a CVE, as it does not allow an attacker to do anything he can't already do. To run such docker command you have to be root/high-privileged and if you are already root/high-privileged, there's no need to use this issue to stop dockerd or cause other more serious damages.
I'd like to ask MITRE to reject this flaw for the mentioned reasons. Anybody from upstream has a different opinion? Or if you are of the same idea, please do share your agreement to make MITRE decision easier.
Lots of people run the Docker API with some lock down, and the denial of service is unexpected, so I don't think it makes sense to reject it totally, even if in many cases it is not important. Also our experience with getting MITRE to reject even obviously incorrect CVEs is not good.