While containerization is all the rage lately a recent spate of root escalation bugs should give the security minded pause. The latest in these bugs involves Docker and is detailed here. Basically by causing a race condition the attacker can gain full read/write access to the host file system. That’s more than enough to allow an attacker to open a back door to the host OS and insert themselves into any container the box is running. Worse it’s not patched yet.
So those out there who have opened their Plex or Emby boxes up and running those docker images may want to close those ports off until the bug is patched.
Worse is that many network security tools now run docker to handle bits and pieces of their solutions. Cisco ISE uses docker for instance. While I have not seen a report concerning this, if you have guest network facing ISE landing pages that are not protected by a NGFW or WAF then you may have some exposure here as well.