CVE-2021-21285 Overview
CVE-2021-21285 is a Denial of Service vulnerability in Docker that allows an attacker to crash the dockerd daemon by pulling an intentionally malformed Docker image manifest. The vulnerability exists in versions prior to 19.03.15 and 20.10.3, where improper validation of layer digests in image manifests can cause the Docker daemon to crash during a pull operation.
Critical Impact
Successful exploitation of this vulnerability can cause the Docker daemon to crash, disrupting all running containers and container orchestration operations on the affected host.
Affected Products
- Docker versions before 19.03.15
- Docker versions 20.10.0 through 20.10.2
- Debian Linux 10.0
- NetApp E-Series SANtricity OS Controller
Discovery Timeline
- February 2, 2021 - CVE-2021-21285 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-21285
Vulnerability Analysis
This vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption) and CWE-754 (Improper Check for Unusual or Exceptional Conditions). The root cause lies in the Docker engine's failure to properly validate layer digest values within image manifests before processing them.
When a user initiates a docker pull operation, the Docker daemon retrieves the image manifest from a registry. The manifest contains references to image layers via digest values. Prior to the security fix, the daemon did not validate these digest values, allowing malformed or invalid digests to be processed, which triggered a panic condition and crashed the daemon.
The attack requires user interaction—specifically, a user must be tricked into pulling a malicious image from an attacker-controlled or compromised registry. This makes the attack vector network-based but dependent on social engineering or supply chain compromise scenarios.
Root Cause
The vulnerability stems from missing input validation on layer digest values within the Docker image manifest parsing code. The distribution/pull_v2.go and builder/builder-next/adapters/containerimage/pull.go components lacked proper digest validation calls before processing layer information.
Attack Vector
An attacker can exploit this vulnerability by hosting a malicious Docker image with a crafted manifest containing invalid layer digests on a registry accessible to the target. When a victim attempts to pull this image, the invalid digest triggers an unhandled exception in the Docker daemon, causing it to crash.
// Vulnerable code path in distribution/pull_v2.go
// The blobSum was used without validation, allowing malformed digests
// to top-most, so that the downloads slice gets ordered correctly.
for i := len(verifiedManifest.FSLayers) - 1; i >= 0; i-- {
blobSum := verifiedManifest.FSLayers[i].BlobSum
if err = blobSum.Validate(); err != nil {
return "", "", errors.Wrapf(err, "could not validate layer digest %q", blobSum)
}
var throwAway struct {
ThrowAway bool `json:"throwaway,omitempty"`
Source: GitHub Commit 8d31795
// Security patch in builder/builder-next/adapters/containerimage/pull.go
// Added digest validation before processing layers
layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers))
for i, desc := range mfst.Layers {
if err := desc.Digest.Validate(); err != nil {
return nil, errors.Wrap(err, "layer digest could not be validated")
}
ongoing.add(desc)
layers = append(layers, &layerDescriptor{
desc: desc,
Source: GitHub Commit 8d31795
Detection Methods for CVE-2021-21285
Indicators of Compromise
- Unexpected Docker daemon crashes or restarts during image pull operations
- Error logs showing digest validation failures or panic messages in Docker daemon logs
- Evidence of connections to untrusted or suspicious container registries
- Repeated daemon restarts correlating with specific image pull attempts
Detection Strategies
- Monitor Docker daemon logs for panic messages or unexpected terminations during pull operations
- Implement alerting on dockerd process crashes or automatic restarts via systemd
- Track image pull operations from non-standard or untrusted registries
- Use container security scanning tools to validate image manifests before deployment
Monitoring Recommendations
- Configure centralized logging for Docker daemon events and correlate with security information and event management (SIEM) systems
- Set up process monitoring alerts for the dockerd service to detect unexpected terminations
- Implement registry allowlisting to restrict image pulls to trusted sources only
- Monitor for unusual patterns in Docker API calls that may indicate exploitation attempts
How to Mitigate CVE-2021-21285
Immediate Actions Required
- Upgrade Docker to version 19.03.15 or 20.10.3 or later immediately
- Restrict Docker image pulls to trusted and verified registries only
- Review recent image pull history for any suspicious or unknown images
- Implement network-level controls to limit access to untrusted registries
Patch Information
Docker has released patched versions that address this vulnerability. The fix adds proper digest validation before processing layer information in image manifests. Organizations should upgrade to the following versions or later:
- Docker 19.03.15 - GitHub Release v19.03.15
- Docker 20.10.3 - GitHub Release v20.10.3
Additional vendor advisories are available:
- Docker Release Notes 20.10.3
- GitHub Security Advisory GHSA-6fj5-m822-rqx8
- Debian Security Advisory DSA-4865
- Gentoo GLSA 2021-07-23
Workarounds
- Implement strict registry allowlists using Docker daemon configuration to prevent pulls from untrusted sources
- Use a trusted private registry as a proxy for all external image pulls
- Deploy network segmentation to isolate Docker hosts from direct internet access to public registries
- Implement image scanning and validation pipelines before allowing images into the environment
# Configuration example - Restrict Docker to trusted registries only
# Add to /etc/docker/daemon.json
{
"allow-nondistributable-artifacts": [],
"insecure-registries": [],
"registry-mirrors": ["https://your-trusted-registry.example.com"]
}
# Restart Docker daemon after configuration
sudo systemctl restart docker
# Verify Docker version after upgrade
docker version --format '{{.Server.Version}}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
