NgoMgqibelo odlule, Meyi 18th, uJerry Gamblin weKenna Security
Ingemuva eline-Alpine
Isizathu socwaningo oluncane bekungumbiko weTalos Vulnerability Report ovele ekuqaleni kwale nyanga (
“Izinguqulo ezisemthethweni zezithombe ze-Alpine Linux Docker (njengoba i-v3.3) ziqukethe iphasiwedi engu-NULL yomsebenzisi oyimpande. Lokhu kuba sengozini kubangelwa ukuhlehla okwethulwe ngoDisemba 2015. Umongo walokhu ukuthi amasistimu asetshenziswe ngezinguqulo eziyinkinga ze-Alpine Linux esitsheni futhi kusetshenziswa i-Linux PAM noma enye indlela esebenzisa ifayela lethunzi lesistimu njengesizindalwazi sokuqinisekisa ingase yamukele iphasiwedi engu-NULL yomsebenzisi oyimpande.”
Izinguqulo zezithombe ze-Docker ezine-Alpine ezihlolelwe inkinga bezingu-3.3–3.9, kanye nokukhishwa kwakamuva konqenqema.
Ababhali benze izincomo ezilandelayo kubasebenzisi abathintekile:
"I-akhawunti yezimpande kufanele ikhutshazwe ngokusobala ezithombeni ze-Docker ezakhiwe ngezinguqulo eziyinkinga ze-Alpine. Ukuxhashazwa okungenzeka kobungozi kuncike endaweni ezungezile, njengoba impumelelo yakho idinga isevisi edluliselwe ngaphandle noma uhlelo olusebenzisa i-Linux PAM noma enye indlela efanayo."
Inkinga yaba /etc/shadow
noma qiniseka ukuthi iphakheji alikho linux-pam
.
Iqhubeka ne-Docker Hub
UJerry Gamblin wanquma ukulangazelela ukwazi “ukuthi uvame kangakanani umkhuba wokusebenzisa amagama ayimfihlo ezitsheni.” Ngale njongo wabhala encane
- ngesicelo se-curl ku-API ku-Docker Hub, uhlu lwezithombe ze-Docker ezisingathwe lapho luyacelwa;
- nge-jq ihlelwa ngenkambu
popularity
, futhi emiphumeleni etholiwe, inkulungwane yokuqala isasele; - kulowo nalowo kubo kugcwalisekile
docker pull
; - isithombe ngasinye esitholwe ku-Docker Hub siyasetshenziswa
docker run
ngokufunda umugqa wokuqala efayeleni/etc/shadow
; - uma inani leyunithi yezinhlamvu lilingana ne
root:::0:::::
, igama lesithombe ligcinwa efayeleni elihlukile.
Kwenzenjani? IN
“Phakathi kwamagama aziwa kakhulu kulolu hlu bekukhona i-govuk/governmentpaas, i-hashicorp, i-microsoft, i-monsanto ne-mesosphere. Futhi i-kylemanna/openvpn iyisitsha esithandwa kakhulu ohlwini, izibalo zayo zingaphezu kwezigidi eziyi-10 zokudonsa.”
Kuyafaneleka ukukhumbula, nokho, ukuthi lesi simo ngokwaso asisho ukuba sengozini okuqondile ekuvikelekeni kwezinhlelo ezizisebenzisayo: konke kuncike ekutheni zisetshenziswa kanjani. (bona ukuphawula kwecala le-Alpine ngenhla). Kodwa-ke, sikubonile "ukuziphatha kwendaba" izikhathi eziningi: ubulula obusobala buvame ukuba nobubi, okufanele buhlale bukhunjulwa kanye nemiphumela ecatshangelwa ezimeni zakho zohlelo lokusebenza lobuchwepheshe.
PS
Funda futhi kubhulogi yethu:
- «
Izibalo zamasistimu okusebenza angaphansi ezithombeni ku-Docker Hub "; - «
I-Docker ne-Kubernetes ezindaweni ezizwelayo ezokuphepha "; - «
Ukuba sengozini kwe-CVE-2019-5736 ku-runc, okukuvumela ukuthi uthole amalungelo ezimpande kumsingathi "; - «
I-Vulnerable Docker VM - umshini obonakalayo wephazili we-Docker kanye ne-pentesting ".
Source: www.habr.com