I-19% yemifanekiso ephezulu yeDocker ayinayo ingcambu yegama lokugqitha

NgoMgqibelo wokugqibela, ngoMeyi 18th, uJerry Gamblin weKenna Security ijongiwe I-1000 yeyona mifanekiso idumileyo evela kwi-Docker Hub esekwe kwingcambu yegama eligqithisiweyo abayisebenzisayo. Kwi-19% yamatyala ibingenanto.

Imvelaphi kunye neAlpine

Isizathu sophando oluncinci yayiyiNgxelo yeTalos Vulnerability eyavela ekuqaleni kwale nyanga (TALOS-2019-0782), ababhali bayo - ngenxa yokufunyanwa kukaPeter Adkins kwi-Cisco Umbrella - babike ukuba imifanekiso ye-Docker enosasazo oludumileyo lweAlpine ayinayo ingcambu yegama lokugqitha:

"Iinguqulelo ezisemthethweni zeAlpine Linux Docker imifanekiso (ekubeni v3.3) iqulethe igama eliyimfihlo le-NULL yomsebenzisi oyingcambu. Obu buthathaka bubangelwe kukuhlehla okwaqaliswa ngoDisemba ka-2015. Undoqo woku kukuba iinkqubo ezibekwe ngeengxaki zenguqulelo zeAlpine Linux kwisikhongozeli kwaye isebenzisa iLinux PAM okanye enye indlela esebenzisa inkqubo yefayile yesithunzi njengendawo yokuqinisekisa yedatha inokwamkela i NULL igama lokugqitha kumsebenzisi oyingcambu.

Iinguqulelo zemifanekiso ye-Docker ene-Alpine evavanyelwe ingxaki yayiyi-3.3-3.9 ehlanganisiweyo, kunye nokukhululwa komphetho wamva nje.

Ababhali benze le ngcebiso ilandelayo kubasebenzisi abachaphazelekayo:

"Iakhawunti yengcambu kufuneka ivaliwe ngokucacileyo kwimifanekiso yeDocker eyakhiwe kwiinguqulelo eziyingxaki zeAlpine. Ukuxhatshazwa okunokwenzeka kobuthathaka kuxhomekeke kwimekobume, kuba impumelelo yayo ifuna inkonzo ethunyelwe ngaphandle okanye isicelo sisebenzisa iLinux PAM okanye enye indlela efanayo.

Ingxaki yaba isusiwe kwiinguqulelo zeAlpine 3.6.5, 3.7.3, 3.8.4, 3.9.2 kunye nomphetho (i-20190228 snapshot), kunye nabanini bemifanekiso echaphazelekayo bacelwa ukuba baphawule umgca kunye neengcambu /etc/shadow okanye qinisekisa ukuba ipakethe ayikho linux-pam.

Iqhubekile neDocker Hub

UJerry Gamblin wagqiba ekubeni abe nomdla wokwazi “ukuba ixhaphake kangakanani indlela yokusebenzisa amagama ayimfihlo angasebenziyo kwizikhongozeli.” Kule nto wabhala encinci Isikripthi seBash, undoqo wayo ulula kakhulu:

• ngesicelo se-curl kwi-API kwi-Docker Hub, uluhlu lwemifanekiso ye-Docker ebanjwe apho iyacelwa;
• nge jq ihlelwa ngokwebala popularity, kwaye kwiziphumo ezifunyenweyo, iwaka lokuqala lihleli;
• kuzalisekile kubo bonke ngabanye docker pull;
• umfanekiso ngamnye ofunyenwe kwi-Docker Hub uyaphunyezwa docker run ngokufunda umgca wokuqala kwifayile /etc/shadow;
• ukuba ixabiso lomtya lilingana ne root:::0:::::, igama lomfanekiso ligcinwa kwifayile eyahlukileyo.

Kweneke ntoni? IN le fayile Bekukho imigca eyi-194 enamagama emifanekiso yeDocker edumileyo eneenkqubo zeLinux, apho ingcambu yomsebenzisi ingenalo igama lokugqitha:

“Phakathi kwawona magama aziwayo kolu luhlu ibiyi govuk/governmentpaas, hashicorp, microsoft, monsanto kunye ne-mesosphere. Kwaye i-kylemanna/openvpn sesona sikhongozeli sidumileyo kuluhlu, izibalo zalo zibandakanya ngaphezulu kwe-10 yezigidi zokutsalwa.

Kufanelekile ukukhumbula, nangona kunjalo, ukuba le nto ngokwayo ayithethi ukuba sesichengeni ngokuthe ngqo kukhuseleko lweenkqubo ezizisebenzisayo: konke kuxhomekeke kwindlela esetyenziswa ngayo kanye. (jonga inkcazo kwityala leAlpine ngasentla). Nangona kunjalo, siye sabona "ukuziphatha kwebali" amaxesha amaninzi: ukulula okucacileyo kudla ngokuba ne-downside, ekufuneka ihlale ikhunjulwe kunye neziphumo ezithathelwa ingqalelo kwiimeko zakho zesicelo seteknoloji.

PS

Funda nakwibhlog yethu:

• «Amanani kwiinkqubo zokusebenza ezisezantsi kwimifanekiso kwiDocker Hub";
• «I-Docker kunye ne-Kubernetes kwiindawo ezikhuselekileyo zokhuseleko";
• «Ubuthathaka CVE-2019-5736 kwi-runc, ekuvumela ukuba ufumane amalungelo engcambu kumamkeli";
• «I-Vulnerable Docker VM-umatshini wepuzzle obonakalayo weDocker kunye nokungena».

umthombo: www.habr.com