Moby Firewalld Bridge Network Isolation Vulnerability

A vulnerability in Moby, affecting releases prior to 28.0.0, disrupts network segmentation between containers across different bridge networks. When firewalld is reloaded, Docker fails to restore iptables rules that isolate bridge networks, allowing containers to access all ports on other containers within non-internal bridge networks on the same host. This issue poses a significant risk in multi-tenant environments, although containers in --internal networks remain protected. The vulnerability arises because Docker does not re-establish the necessary isolation rules after firewalld is reloaded, leaving containers exposed to each other. Workarounds include reloading firewalld and restarting the Docker daemon, recreating bridge networks, or using rootless mode.

Impact

The vulnerability allows containers to bypass network isolation, enabling access to any port on any container across different non-internal bridge networks on the same host. This breaks the intended segmentation, creating risks in environments where containers should be isolated.

Remediation

Users can upgrade to Moby version 25.0.13 or later, where this vulnerability is patched. After reloading firewalld, the Docker daemon can be restarted, bridge networks can be recreated, or rootless mode can be used.