Hello everyone! This episode will be about Microsoft Patch Tuesday for January 2022. Traditionally, I will use my open source Vulristics tool for analysis. This time I didn’t make any changes to how connectors work. The report generation worked correctly on the first try. python3.8 vulristics.py --report-type "ms_patch_tuesday" --mspt-year 2022 --mspt-month "January" --rewrite-flag "True" The […]

Microsoft Patch Tuesday January 2022

IBM Sterling Gentran:Server for Microsoft Windows 5.3 stores potentially sensitive information in log files that could be read by a local user.  IBM X-Force ID:  213962.

CVE-2021-39032: IBM X-Force Exchange

Docker Desktop version 4.3.0 and 4.3.1 has a bug that may log sensitive information (access token or password) on the user's machine during login. This only affects users if they are on Docker Desktop 4.3.0, 4.3.1 and the user has logged in while on 4.3.0, 4.3.1. Gaining access to this data would require having access to the user’s local files.

_Estimated reading time: 8 minutes_

> **Update to the Docker Desktop terms**
> 
> Professional use of Docker Desktop in large organizations (more than 250 employees or more than $10 million in annual revenue) requires users to have a paid Docker subscription. While the effective date of these terms is August 31, 2021, there is a grace period until January 31, 2022 for those that require a paid subscription. For more information, see Docker Desktop License Agreement.

This page contains information about the new features, improvements, known issues, and bug fixes in Docker Desktop releases.

Take a look at the Docker Public Roadmap to see what’s coming next.

**Docker Desktop 4.3.2**

2021-12-21

> Download Docker Desktop
> 
> For Windows

**Upgrades**

docker scan v0.14.0

**Security**

**Log4j 2 CVE-2021-44228**: We have updated the `docker scan` CLI plugin. This new version of `docker scan` is able to detect Log4j 2 CVE-2021-44228 and Log4j 2 CVE-2021-45046

For more information, read the blog post Apache Log4j 2 CVE-2021-44228.

**Docker Desktop 4.3.1**

2021-12-11

> Download Docker Desktop
> 
> For Windows

**Upgrades**

docker scan v0.11.0

**Security**

**Log4j 2 CVE-2021-44228**: We have updated the `docker scan` CLI plugin for you. Older versions of `docker scan` in Docker Desktop 4.3.0 and earlier versions are not able to detect Log4j 2 CVE-2021-44228.

For more information, read the blog post Apache Log4j 2 CVE-2021-44228.

**Docker Desktop 4.3.0**

2021-12-02

> Download Docker Desktop
> 
> For Windows

**Upgrades**

*   Docker Engine v20.10.11
*   containerd v1.4.12
*   Buildx 0.7.1
*   Compose v2.2.1
*   Kubernetes 1.22.4
*   Docker Hub Tool v0.4.4
*   Go 1.17.3

**Bug fixes and minor changes**

*   Fixed an issue which prevented users from saving files from a volume using the Save As option in the Volumes UI. Fixes docker/for-win#12407.
*   Fixed an issue that caused Docker Desktop to fail during startup if the home directory path contains a character used in regular expressions. Fixes docker/for-win#12374.
*   Added a self-diagnose warning if the host lacks Internet connectivity.
*   Docker Desktop now uses cgroupv2. If you need to run `systemd` in a container then:
    *   Ensure your version of `systemd` supports cgroupv2. It must be at least `systemd` 247. Consider upgrading any `centos:7` images to `centos:8`.
    *   Containers running `systemd` need the following options: `--privileged --cgroupns=host -v /sys/fs/cgroup:/sys/fs/cgroup:rw`.

**Known issue**

Docker Dashboard incorrectly displays the container memory usage as zero on Hyper-V based machines. You can use the `docker stats` command on the command line as a workaround to view the actual memory usage. See docker/for-mac#6076.

**Deprecation**

*   The following internal DNS names are deprecated and will be removed from a future release: `docker-for-desktop`, `docker-desktop`, `docker.for.mac.host.internal`, `docker.for.mac.localhost`, `docker.for.mac.gateway.internal`. You must now use `host.docker.internal`, `vm.docker.internal`, and `gateway.docker.internal`.
*   Removed: Custom RBAC rules have been removed from Docker Desktop as it gives `cluster-admin` privileges to all Service Accounts. Fixes docker/for-mac/#4774.

**Docker Desktop 4.2.0**

2021-11-09

> Download Docker Desktop
> 
> For Windows

**New**

**Pause/Resume**: You can now pause your Docker Desktop session when you are not actively using it and save CPU resources on your machine. For more information, see Pause/Resume.

*   Ships Docker Public Roadmap#226

**Software Updates**: The option to turn off automatic check for updates is now available for users on all Docker subscriptions, including Docker Personal and Docker Pro. All update-related settings have been moved to the **Software Updates** section. For more information, see Software updates.

*   Ships Docker Public Roadmap#228

**Window management**: The Docker Dashboard window size and position persists when you close and reopen Docker Desktop.

**Upgrades**

*   Docker Engine v20.10.10
*   containerd v1.4.11
*   runc v1.0.2
*   Go 1.17.2
*   Compose v2.1.1
*   docker-scan 0.9.0

**Bug fixes and minor changes**

*   Improved: Self-diagnose now also checks for overlap between host IPs and `docker networks`.
*   Fixed the position of the indicator that displays the availability of an update on the Docker Dashboard.
*   Fixed Docker Desktop sometimes hanging when clicking Exit in the fatal error dialog.
*   Fixed an issue that frequently displayed the **Download update** popup when an update has been downloaded but hasn’t been applied yet docker/for-win#12188.
*   Fixed installing a new update killing the application before it has time to shut down.
*   Fixed: Installation of Docker Desktop now works even with group policies preventing users to start prerequisite services (e.g. LanmanServer) docker/for-win#12291.

**Docker Desktop 4.1.1**

2021-10-12

> Download Docker Desktop
> 
> For Windows

**Bug fixes and minor changes**

*   Fixed a regression in WSL 2 integrations for some distros (e.g. Arch or Alpine). Fixes docker/for-win#12229
*   Fixed update notification overlay sometimes getting out of sync between the Settings button and the Software update button in the Dashboard.

**Docker Desktop 4.1.0**

2021-09-30

> Download Docker Desktop
> 
> For Windows

**New**

*   **Software Updates**: The Settings tab now includes a new section to help you manage Docker Desktop updates. The **Software Updates** section notifies you whenever there’s a new update and allows you to download the update or view information on what’s included in the newer version. For more information, see Software Updates.
*   **Compose V2** You can now specify whether to use Docker Compose V2 in the General settings.
*   **Volume Management**: Volume management is now available for users on any subscription, including Docker Personal. For more information, see Explore volumes. Ships Docker Public Roadmap#215

**Upgrades**

*   Compose V2
*   Buildx 0.6.3
*   Kubernetes 1.21.5
*   Go 1.17.1
*   Alpine 3.14
*   Qemu 6.1.0
*   Base distro to debian:bullseye

**Bug fixes and minor changes**

*   Fixed a bug related to anti-malware software triggering, self-diagnose avoids calling the `net.exe` utility.
*   Fixed filesystem corruption in the WSL 2 Linux VM in self-diagnose. This can be caused by microsoft/WSL#5895.
*   Fixed `SeSecurityPrivilege` requirement issue. See docker/for-win#12037.
*   Fixed CLI context switch sync with UI. See docker/for-win#11721.
*   Added the key `vpnKitMaxPortIdleTime` to `settings.json` to allow the idle network connection timeout to be disabled or extended.
*   Fixed a crash on exit. See docker/for-win#12128.
*   Fixed a bug where the CLI tools would not be available in WSL 2 distros.
*   Fixed switching from Linux to Windows containers that was stuck because access rights on panic.log. See for-win#11899.

**Known Issue**

Docker Desktop may fail to start when upgrading to 4.1.0 on some WSL-based distributions such as ArchWSL. See docker/for-win#12229

**Docker Desktop 4.0.1**

2021-09-13

> Download Docker Desktop
> 
> For Windows

**Upgrades**

*   Compose V2 RC3
    *   Compose v2 is now hosted on github.com/docker/compose.
    *   Fixed go panic on downscale using `compose up --scale`.
    *   Fixed a race condition in `compose run --rm` while capturing exit code.

**Bug fixes and minor changes**

*   Fixed a bug where Docker Desktop would not start correctly with the Hyper-V engine. See docker/for-win#11963
*   Fixed a bug where copy-paste was not available in the Docker Dashboard.

**Docker Desktop 4.0.0**

2021-08-31

> Download Docker Desktop
> 
> For Windows

**New**

Docker has announced updates and extensions to the product subscriptions to increase productivity, collaboration, and added security for our developers and businesses.

The updated Docker Subscription Service Agreement includes a change to the terms for **Docker Desktop**.

*   Docker Desktop **remains free** for small businesses (fewer than 250 employees AND less than $10 million in annual revenue), personal use, education, and non-commercial open source projects.
*   It requires a paid subscription (**Pro, Team, or Business**), for as little as $5 a month, for professional use in larger enterprises.
*   The effective date of these terms is August 31, 2021. There is a grace period until January 31, 2022 for those that will require a paid subscription to use Docker Desktop.
*   The Docker Pro and Docker Team subscriptions now **include commercial use** of Docker Desktop.
*   The existing Docker Free subscription has been renamed **Docker Personal**.
*   **No changes** to Docker Engine or any other upstream **open source** Docker or Moby project.

To understand how these changes affect you, read the FAQs. For more information, see Docker subscription overview.

**Upgrades**

*   Compose V2 RC2
    *   Fixed project name to be case-insensitive for `compose down`. See docker/compose-cli#2023
    *   Fixed non-normalized project name.
    *   Fixed port merging on partial reference.
*   Kubernetes 1.21.4

**Bug fixes and minor changes**

*   Fixed a bug where the CLI tools would not be available in WSL 2 distros.
*   Fixed a bug when switching from Linux to Windows containers due to access rights on `panic.log`. for-win#11899

Docker Desktop for Windows, release notes

CVE-2021-45449: Docker for Windows release notes

Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.

CVE-2021-44652: Microsoft 365 management, reporting, and auditing - ManageEngine M365 Manager Plus

Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.

CVE-2021-44650: Microsoft 365 management, reporting, and auditing - ManageEngine M365 Manager Plus

Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability.

CVE-2022-21871

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21954.

CVE-2022-21970

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21929, CVE-2022-21931.

CVE-2022-21930

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21930, CVE-2022-21931.

CVE-2022-21929

Microsoft Exchange Server Remote Code Execution Vulnerability. This CVE ID is unique from CVE-2022-21846, CVE-2022-21855.

Tag

#microsoft