top | item 45684825

(no title)

Jeslijar | 4 months ago

I'll let docker's security team know that an insecure, obsolete docker image is being served and the maintainers have officially acknowledged they will no longer support it.

Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.

discuss

antiloper|4 months ago

You're letting docker's security team know that they're serving Ubuntu 14.10? https://hub.docker.com/layers/library/ubuntu/14.10/images/sh...

pinkgolem|4 months ago

there is a major difference between having an old image available and having it tagged as latest with no updates beeing available on a channel that before that published all updates with nearly no time delay

pelagicAustral|4 months ago

Someone seem to already be at it on Discussions https://github.com/minio/minio/discussions/21655

    > I felt it might be appropriate for me to reach out as one of the stewards of the Docker Official Images program.

Jeslijar|4 months ago

So that's not the same thing. Docker "official images" are a category of curated docker images. Minio is not one of them. The official curated images are here: https://hub.docker.com/u/library

The minio image is basically a community one that anyone could have created, but still shows in overall docker hub. It's created by minio themselves. I'm kind of surprised they haven't removed it, but with over a billion downloads they are easily in the top ten of whatever category they fall under creating substantial free advertisement.

benterix|4 months ago

Oh that will be an interesting discussion to watch.

ndriscoll|4 months ago

> Best to get insecure and vulnerable software out of the hands of those who may not be familiar with this CVE or their change in policy that has not gotten a press release in any way.

Why is that the best? MinIO is not the type of thing that people ought to be directly making available on the Internet anyway, so CVEs are mostly irrelevant unless you are an organization that has to keep on top of them, in which case you certainly have a process in place to do so already.

People straight pulling an image off Dockerhub (so not a particularly sophisticated use-case) to run seem like they'd be the least likely to be impacted by a CVE like this. The impact is apparently "[it] allows the attacker to access buckets and objects beyond their intended restrictions and modify, delete, or create objects outside their authorized scope". Are people pulling from Dockerhub even setting up anything but the absolute most basic (Allow All) ACL?

b112|4 months ago

Zero trust is the way to assess threat. Not Internet access or not.

Jeslijar|4 months ago

Regrettably Docker has let me know they are uninterested in taking any action.

"Hello,

This does not qualify as an infringement to our Terms of Use policy. Deprecating such images and repo(s) is the responsibility of the owner and we recommend you reach out to them. Docker advises its users to opt into using images under our official programs and offerings such as Docker Official Images and Docker Hardened Images.

Thank you, Security@Docker"

In their ToU under section 6.6, they outline how they may scan images for vulnerabilities and request the owners of said packages fix it, or simply remove it from their site. They clearly do not do this though even when notified of the high criticality vulnerability.

raesene9|4 months ago

Unfortunately I don't think they're going to get involved there. There are already multiple "official" images on Docker Hub that are unmaintained and have plenty of CVEs (e.g. Centos https://hub.docker.com/_/centos/tags)

I think the most they'd do is add the DEPRECATED note to the Docker hub page as they have done for things like Centos

jeroenhd|4 months ago

Imagine the absolute chaos if docker would do that, pull vulnerable images offline. Not a single company would be able to build their software anymore.

Actually, Docker did something like that, where they limited the amount of docker images they would host for you for free to a reasonable number. The result was pretty similar to this current outcry: https://news.ycombinator.com/item?id=24143588

mmh0000|4 months ago

[deleted]

hansmayer|4 months ago

...Or just spend 10 minutes and familiarise yourself with the basic docker build command? Its really dead simple.

_joel|4 months ago

Then you have to maintain a pipline and registry just to fix something that should be fixed upstream?