The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "docker-doc": "18.06.1-0ubuntu1~16.04.2", "docker.io": "18.06.1-0ubuntu1~16.04.2", "golang-github-docker-docker-dev": "18.06.1-0ubuntu1~16.04.2", "golang-docker-dev": "18.06.1-0ubuntu1~16.04.2", "vim-syntax-docker": "18.06.1-0ubuntu1~16.04.2" } ] }
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "docker-doc": "18.06.1-0ubuntu1~18.04.1", "docker.io": "18.06.1-0ubuntu1~18.04.1", "golang-github-docker-docker-dev": "18.06.1-0ubuntu1~18.04.1", "golang-docker-dev": "18.06.1-0ubuntu1~18.04.1", "vim-syntax-docker": "18.06.1-0ubuntu1~18.04.1" } ] }