The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through
17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to
trigger data loss (when certain older Linux kernels are used) by leveraging
Docker container access to write a "scsi remove-single-device" line to
/proc/scsi/scsi, aka SCSI MICDROP.
@Maintainers could you please confirm if we are affected? I see 17.06.2 also stable, maybe we just need to clean 17.03?
17.03 is unsupported upstream, so removing probably makes sense. Same goes for 17.06, though.
This was fixed in 17.09 via https://github.com/docker/docker-ce/pull/291 (but the change doesn't appear to be in an actual 17.09 release yet, just the staging branch for the release).
The same goes for 17.11 via https://github.com/docker/docker-ce/pull/290 (but with the same caveat that it appears it never went out with an actual release).
So, the only official releases which actually contain this fix are the release candidates for 17.12, currently.
17.12.1 contains the patch per the upstream commit on:
GLSA Vote: No
@maintainers, please clean the vulnerable version.