CVE-2017-16539

Publication date 4 November 2017

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
docker.io	18.10 cosmic	Fixed 18.06.1-0ubuntu1
	18.04 LTS bionic	Fixed 18.06.1-0ubuntu1~18.04.1
	17.10 artful	Ignored end of life
	17.04 zesty	Ignored end of life
	16.04 LTS xenial	Fixed 18.06.1-0ubuntu1~16.04.2
	14.04 LTS trusty	Not in release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
docker.io	Upstream: https://github.com/moby/moby/pull/35399/commits/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1

Severity score breakdown

Parameter	Value
Base score	5.9 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H