CVE-2025-36154
📋 TL;DR
IBM Concert versions 1.0.0 through 2.1.0 store sensitive information in cleartext during recursive Docker builds, allowing local users to access credentials or other secrets. This affects organizations using IBM Concert for container orchestration where Docker builds occur on shared systems.
💻 Affected Systems
- IBM Concert
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attackers obtain administrative credentials, database passwords, API keys, or other secrets stored in Docker build contexts, leading to full system compromise and data exfiltration.
Likely Case
Unauthorized users with local access extract sensitive configuration data or credentials from Docker build artifacts, potentially escalating privileges or accessing restricted resources.
If Mitigated
With proper access controls and isolated build environments, only authorized administrators can access build contexts, limiting exposure to trusted personnel.
🎯 Exploit Status
Exploitation requires local access to the system where Docker builds are performed; no special tools or authentication needed beyond file system access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IBM Concert 2.1.1 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7255549
Restart Required: Yes
Instructions:
1. Download IBM Concert version 2.1.1 or later from IBM's official distribution channels. 2. Stop all IBM Concert services. 3. Backup configuration files. 4. Install the updated version following IBM's installation guide. 5. Restart IBM Concert services and verify functionality.
🔧 Temporary Workarounds
Disable Recursive Docker Builds
allConfigure IBM Concert to use non-recursive Docker builds or external build systems that don't store sensitive data in cleartext.
Modify IBM Concert configuration to set 'docker.build.recursive=false' or equivalent setting
Secure Build Context Directories
linuxRestrict filesystem permissions on Docker build directories to prevent unauthorized access.
chmod 700 /path/to/docker/build/contexts
chown root:root /path/to/docker/build/contexts
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to systems running IBM Concert Docker builds.
- Use Docker secrets or external credential management systems instead of storing sensitive data in build contexts.
🔍 How to Verify
Check if Vulnerable:
Check IBM Concert version: if between 1.0.0 and 2.1.0 inclusive, and Docker builds are configured recursively, the system is vulnerable.Check Version:
ibm-concert --version or check configuration files for version informationVerify Fix Applied:
Verify IBM Concert version is 2.1.1 or later and examine Docker build artifacts to confirm sensitive data is no longer stored in cleartext.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Docker build directories
- File access patterns showing users examining build context files
Network Indicators:
- N/A - This is a local filesystem vulnerability
SIEM Query:
source="filesystem" AND (event="file_access" AND path="*/docker/build/*") AND user NOT IN (authorized_users)