[HN Gopher] Cloudflare's Handling of an RCE Vulnerability in Cdnjs
       ___________________________________________________________________
        
       Cloudflare's Handling of an RCE Vulnerability in Cdnjs
        
       Author : sahin
       Score  : 100 points
       Date   : 2021-07-24 13:05 UTC (9 hours ago)
        
 (HTM) web link (blog.cloudflare.com)
 (TXT) w3m dump (blog.cloudflare.com)
        
       | CaliforniaKarl wrote:
       | Here's the corresponding blog post from the researcher,
       | describing how they discovered the vulnerability:
       | https://blog.ryotak.me/post/cdnjs-remote-code-execution-en/
        
       | azinman2 wrote:
       | I thought Docker containers weren't meant to be secure sandboxes,
       | but more of a convenience? It seems they did additional work but
       | perhaps the role of the docker container has changed over time?
        
         | staticassertion wrote:
         | That depends on the runtime that the containers are using. At
         | my company we explicitly do not consider docker + runc as a
         | security boundary due to the shared Linux kernel - but you can
         | hedge against this with technology like gvisor, or executing
         | via kvm + firecracker containers (kata containers do this
         | iirc), etc.
         | 
         | So it's less about "docker" and more about the container
         | runtime. They could also be leveraging seccomp or some other
         | mechanism.
         | 
         | It's unclear in this case if they're relying on just default
         | Docker. If they are, that's concerning to me.
         | 
         | They do mention apparmor, gotta dig in more. This also relies
         | on a path traversal, so it may be reasonable.
        
       ___________________________________________________________________
       (page generated 2021-07-24 23:01 UTC)