SUSE releases urgent Docker security patches for CVE-2025-0495 (credential leakage) and CVE-2025-22872 (DOM spoofing). Learn how to update Docker to v28.2.2-ce, affected SUSE Linux products, CVSS scores, and mitigation steps.
1. Key Security Vulnerabilities Patched
SUSE’s latest Docker update (v28.2.2-ce) addresses two critical CVEs with moderate-to-high severity ratings:
CVE-2025-0495: Credential leakage via cache-to/cache-from configurations (*CVSS 4.1-5.9*).
CVE-2025-22872: DOM construction flaws in
golang.org/x/net/html(*CVSS 6.3-6.5*).
Why This Matters:
"Unpatched Docker instances risk exposing sensitive data or enabling injection attacks," warns SUSE’s security team.
2. Affected Systems & Patch Instructions
Impacted SUSE Products:
SUSE Linux Enterprise Server 15 SP3-SP5 (LTSS/ESPOS variants)
SUSE Enterprise Storage 7.1
High-Performance Computing (HPC) 15 SP3-SP5
How to Patch:
# Example for SUSE Linux Enterprise Server 15 SP5 LTSS: zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-2289=1
Alternative Methods: Use YaST online_update or zypper patch.
3. Technical Deep Dive: Fixes & Features
Security Fixes:
Blocked credential leakage to telemetry endpoints (CVE-2025-0495).
Corrected HTML tag parsing in Go’s
net/html(CVE-2025-22872).
New Features:
Docker Buildx v0.22.0 support for SLE-16.
Disabled transparent
SUSEConnectsecrets in rootless containers (bsc#1240150).
4. CVSS Score Breakdown
| CVE ID | SUSE CVSS 4.0 | NVD CVSS 3.1 | Risk Profile |
|---|---|---|---|
| CVE-2025-0495 | 4.1 (Low) | 5.9 (Medium) | Credential exposure |
| CVE-2025-22872 | 6.3 (Medium) | 6.5 (Medium) | DOM spoofing |
5. FAQs for SysAdmins
Q: Is this update mandatory?
A: Yes, if using Docker in SUSE environments. Both CVEs are exploitable in default configurations.
Q: How to verify the patch?
A: Run docker --version and confirm v28.2.2-ce is installed.*
Nenhum comentário:
Postar um comentário