Docker has issued an urgent security update to its open source software, which packages applications in lightweight "containers" for virtualization.

Two new version 1.3.2, fixes two security flaws which could allow remote attackers to escalate their privileges on a system running Docker, and execute arbitrary malicious code. The new version, and the problems it deals with, were revealed on the  Openwall list by Docker security expert Eric Windisch.

The flaws, numbered CVE-2014 6047 and 6048, relate to Docker's handling of images and archives, and allow remote execution because versions of Docker up to 1.3.1 will obey instructions included without carrying out sufficient checks.

Docker shocker
"No remediation is available for older versions of Docker and users are advised to upgrade," says the security advisory.

Containerization has been gaining ground as it offers a more lightweight and flexible way to deliver applications, without the overheads of providing an entire virtual machine. Container technology is built into the Linux kernel, and Microsoft will include it in the next version of Windows Server.

For production use, new technologies have to convince the industry of their robustness, and Docker has faced criticism or at least faint praise. At VMworld, VMware CEO Pat Gelsinger announced that VMware would support Docker - but recommended running each Docker container within a VMware virtual machine, somewhat neutralising the benefits of containerization.