NgoMgqibelo wokugqibela, ngoMeyi 18th, uJerry Gamblin weKenna Security
Imvelaphi kunye neAlpine
Isizathu sophando oluncinci yayiyiNgxelo yeTalos Vulnerability eyavela ekuqaleni kwale nyanga (
"Iinguqulelo ezisemthethweni zeAlpine Linux Docker imifanekiso (ekubeni v3.3) iqulethe igama eliyimfihlo le-NULL yomsebenzisi oyingcambu. Obu buthathaka bubangelwe kukuhlehla okwaqaliswa ngoDisemba ka-2015. Undoqo woku kukuba iinkqubo ezibekwe ngeengxaki zenguqulelo zeAlpine Linux kwisikhongozeli kwaye isebenzisa iLinux PAM okanye enye indlela esebenzisa inkqubo yefayile yesithunzi njengendawo yokuqinisekisa yedatha inokwamkela i NULL igama lokugqitha kumsebenzisi oyingcambu.
Iinguqulelo zemifanekiso ye-Docker ene-Alpine evavanyelwe ingxaki yayiyi-3.3-3.9 ehlanganisiweyo, kunye nokukhululwa komphetho wamva nje.
Ababhali benze le ngcebiso ilandelayo kubasebenzisi abachaphazelekayo:
"Iakhawunti yengcambu kufuneka ivaliwe ngokucacileyo kwimifanekiso yeDocker eyakhiwe kwiinguqulelo eziyingxaki zeAlpine. Ukuxhatshazwa okunokwenzeka kobuthathaka kuxhomekeke kwimekobume, kuba impumelelo yayo ifuna inkonzo ethunyelwe ngaphandle okanye isicelo sisebenzisa iLinux PAM okanye enye indlela efanayo.
Ingxaki yaba /etc/shadow
okanye qinisekisa ukuba ipakethe ayikho linux-pam
.
Iqhubekile neDocker Hub
UJerry Gamblin wagqiba ekubeni abe nomdla wokwazi βukuba ixhaphake kangakanani indlela yokusebenzisa amagama ayimfihlo angasebenziyo kwizikhongozeli.β Kule nto wabhala encinci
- ngesicelo se-curl kwi-API kwi-Docker Hub, uluhlu lwemifanekiso ye-Docker ebanjwe apho iyacelwa;
- nge jq ihlelwa ngokwebala
popularity
, kwaye kwiziphumo ezifunyenweyo, iwaka lokuqala lihleli; - kuzalisekile kubo bonke ngabanye
docker pull
; - umfanekiso ngamnye ofunyenwe kwi-Docker Hub uyaphunyezwa
docker run
ngokufunda umgca wokuqala kwifayile/etc/shadow
; - ukuba ixabiso lomtya lilingana ne
root:::0:::::
, igama lomfanekiso ligcinwa kwifayile eyahlukileyo.
Kweneke ntoni? IN
βPhakathi kwawona magama aziwayo kolu luhlu ibiyi govuk/governmentpaas, hashicorp, microsoft, monsanto kunye ne-mesosphere. Kwaye i-kylemanna/openvpn sesona sikhongozeli sidumileyo kuluhlu, izibalo zalo zibandakanya ngaphezulu kwe-10 yezigidi zokutsalwa.
Kufanelekile ukukhumbula, nangona kunjalo, ukuba le nto ngokwayo ayithethi ukuba sesichengeni ngokuthe ngqo kukhuseleko lweenkqubo ezizisebenzisayo: konke kuxhomekeke kwindlela esetyenziswa ngayo kanye. (jonga inkcazo kwityala leAlpine ngasentla). Nangona kunjalo, siye sabona "ukuziphatha kwebali" amaxesha amaninzi: ukulula okucacileyo kudla ngokuba ne-downside, ekufuneka ihlale ikhunjulwe kunye neziphumo ezithathelwa ingqalelo kwiimeko zakho zesicelo seteknoloji.
PS
Funda nakwibhlog yethu:
- Β«
Amanani kwiinkqubo zokusebenza ezisezantsi kwimifanekiso kwiDocker Hub "; - Β«
I-Docker kunye ne-Kubernetes kwiindawo ezikhuselekileyo zokhuseleko "; - Β«
Ubuthathaka CVE-2019-5736 kwi-runc, ekuvumela ukuba ufumane amalungelo engcambu kumamkeli "; - Β«
I-Vulnerable Docker VM-umatshini wepuzzle obonakalayo weDocker kunye nokungena Β».
umthombo: www.habr.com