A vulnerability in the Docker Engine configuration of Cisco CloudCenter Orchestrator (CCO; formerly CliQr) could allow an unauthenticated, remote attacker to install Docker containers with high privileges on the affected system. The vulnerability is due to a misconfiguration that causes the Docker Engine management port to be reachable outside of the CloudCenter Orchestrator system. An attacker could exploit this vulnerability by loading Docker containers on the affected system with arbitrary privileges. As a secondary impact this may allow the attacker to gain root privileges on the affected CloudCenter Orchestrator. Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161221-cco
Administrators can restrict the Docker Engine port to bind to localhost (127.0.0.1) following the procedure below:
Issue the su command to obtain sudo privileges
Enter the system directory using the following command cd /etc/systemd/system/
Edit the docker.socket file with your chosen editor and change the ListenStream value to the following:
ListenStream=127.0.0.1:2375
Reload with the systemctl daemon-reload && systemctl restart docker command
In addition, administrators can use the cloud provider security group or external firewall devices in private cloud deployment to restrict access to the CCO Docker Engine management port as per product documentation: