The RedLock CSI team found that many organizations have accidentally shared internal Docker images publicly.
The misconfiguration has led to the exposure of source code and other sensitive information.
Docker Hub repositories let you share images with co-workers, customers, or the Docker community at large. If you’re building your images internally, either on your own Docker daemon, or using your own continuous integration services, you can push them to a Docker Hub repository that you add to your Docker Hub user or organization account.
When creating a repository, changing the “Visibility” drop down field enables you to make an image public or private. Many organizations have accidentally set this field to “public”, exposing source code and other sensitive information.
Figure 1: The “Visibility” drop down field makes an image public or private
- Performing a simple search such as the one below with your organization’s or business unit’s names might identify some images that are publicly exposed: https://hub.docker.com/search/?isAutomated=0&isOfficial=0&page=1&pullCount=0&q=mycompany&starCount=0
- Train developers on security best practices, and educate them on the implications of inadvertently sharing internal Docker images.
Download a copy of the advisory here.