Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue: Allow changing the default registry #34816

Open
interone-ms opened this issue Sep 12, 2017 · 1 comment
Open

Security issue: Allow changing the default registry #34816

interone-ms opened this issue Sep 12, 2017 · 1 comment
Labels
area/distribution

Comments

@interone-ms
Copy link

interone-ms commented Sep 12, 2017
edited

Docker needs outbound internet access to operate. This is a security issue in corporate environments, as many do not allow outbound internet access at all on servers to prevent data exfiltration or to comply with auditing policies.

Why this is important

In case an attacker gains code execution in an environment where outbound access to the default docker registry, he can exfiltrate data by compacting the data into an "image layer" and upload said layer to the Docker registry using previously created credentials - no need to access the docker daemon itself, as requests can be manually crafted by the attacker.

Furthermore, allowing users to use a Nexus cache reduces their network usage as well as allows them to operate in network outage situations (e.g. when AWS or whatever the official Docker registry is using as host has issues), so this also has impact on corporate uptime requirements by eliminating external dependencies.

Also, using a cache-only registry proxy prevents accidental pushing of private images to the wide Internet.

How to fix

A company can mitigate this threat in theory by installing e.g. Sonatype Nexus in proxy mode and then setting the default registry, e.g. as proposed in the closed ticket #11815 (and implemented by RedHat in an experimental fork some time ago). This prevents data exfiltration and provides a caching layer.

I do understand the reason why this ticket was closed (namespace fragmentation), however this is not a sufficient excuse when corporate security policies / threat audits are in effect, and in corporate environments the people involved generally do have sufficient competence to avoid fragmentation.

Why I am asking for this in the "official" Docker repository is because some environments prefer to use Debian/Ubuntu instead of RedHat and thus cannot use the fork.
@sbrl
Copy link

sbrl commented Apr 20, 2020

Is there any word on this (@thaJeztah?)? As mentioned above, this is a huge security issue. Furthermore, some great arguments can be found in #11815.

It would appear that this glaring issue has been ignored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/distribution
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@thaJeztah @sbrl @interone-ms