In Docker CE and EE before 18.09.8 (as well as Docker EE before 17.06.2-ee-23 and 18.x before 18.03.1-ee-10), Docker Engine in debug mode may sometimes add secrets to the debug log. This applies to a scenario where docker stack deploy is run to redeploy a stack that includes (non external) secrets. It potentially applies to other API users of the stack API if they resend the secret.
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Docker | Docker | 18.09.0 (including) | 18.09.8 (excluding) |
| Docker | Docker | 17.03.2-1 (including) | 17.03.2-1 (including) |
| Docker | Docker | 17.03.2-2 (including) | 17.03.2-2 (including) |
| Docker | Docker | 17.03.2-3 (including) | 17.03.2-3 (including) |
| Docker | Docker | 17.03.2-4 (including) | 17.03.2-4 (including) |
| Docker | Docker | 17.03.2-5 (including) | 17.03.2-5 (including) |
| Docker | Docker | 17.03.2-6 (including) | 17.03.2-6 (including) |
| Docker | Docker | 17.03.2-7 (including) | 17.03.2-7 (including) |
| Docker | Docker | 17.03.2-8 (including) | 17.03.2-8 (including) |
| Docker | Docker | 17.06.2-1 (including) | 17.06.2-1 (including) |
| Docker | Docker | 17.06.2-10 (including) | 17.06.2-10 (including) |
| Docker | Docker | 17.06.2-11 (including) | 17.06.2-11 (including) |
| Docker | Docker | 17.06.2-12 (including) | 17.06.2-12 (including) |
| Docker | Docker | 17.06.2-13 (including) | 17.06.2-13 (including) |
| Docker | Docker | 17.06.2-15 (including) | 17.06.2-15 (including) |
| Docker | Docker | 17.06.2-16 (including) | 17.06.2-16 (including) |
| Docker | Docker | 17.06.2-17 (including) | 17.06.2-17 (including) |
| Docker | Docker | 17.06.2-18 (including) | 17.06.2-18 (including) |
| Docker | Docker | 17.06.2-19 (including) | 17.06.2-19 (including) |
| Docker | Docker | 17.06.2-2 (including) | 17.06.2-2 (including) |
| Docker | Docker | 17.06.2-20 (including) | 17.06.2-20 (including) |
| Docker | Docker | 17.06.2-21 (including) | 17.06.2-21 (including) |
| Docker | Docker | 17.06.2-22 (including) | 17.06.2-22 (including) |
| Docker | Docker | 17.06.2-3 (including) | 17.06.2-3 (including) |
| Docker | Docker | 17.06.2-4 (including) | 17.06.2-4 (including) |
| Docker | Docker | 17.06.2-5 (including) | 17.06.2-5 (including) |
| Docker | Docker | 17.06.2-6 (including) | 17.06.2-6 (including) |
| Docker | Docker | 17.06.2-7 (including) | 17.06.2-7 (including) |
| Docker | Docker | 17.06.2-8 (including) | 17.06.2-8 (including) |
| Docker | Docker | 17.06.2-9 (including) | 17.06.2-9 (including) |
| Docker | Docker | 18.03.1-1 (including) | 18.03.1-1 (including) |
| Docker | Docker | 18.03.1-2 (including) | 18.03.1-2 (including) |
| Docker | Docker | 18.03.1-3 (including) | 18.03.1-3 (including) |
| Docker | Docker | 18.03.1-4 (including) | 18.03.1-4 (including) |
| Docker | Docker | 18.03.1-5 (including) | 18.03.1-5 (including) |
| Docker | Docker | 18.03.1-6 (including) | 18.03.1-6 (including) |
| Docker | Docker | 18.03.1-7 (including) | 18.03.1-7 (including) |
| Docker | Docker | 18.03.1-8 (including) | 18.03.1-8 (including) |
| Docker | Docker | 18.03.1-9 (including) | 18.03.1-9 (including) |
| Docker.io | Ubuntu | trusty | * |
| Docker.io | Ubuntu | upstream | * |
While logging all information may be helpful during development stages, it is important that logging levels be set appropriately before a product ships so that sensitive user data and system information are not accidentally exposed to potential attackers. Different log files may be produced and stored for: