News
Security Advisories

Docker Hub Security Advisory

RedLock CSI Team

07.18.17 5:22 AM

Docker Hub Repository Exposure

The RedLock CSI team found that many organizations have accidentally shared internal Docker images publicly.

 

The Impact

The misconfiguration has led to the exposure of source code and other sensitive information.

 

Background

Docker Hub repositories let you share images with co-workers, customers, or the Docker community at large. If you’re building your images internally, either on your own Docker daemon, or using your own continuous integration services, you can push them to a Docker Hub repository that you add to your Docker Hub user or organization account.

When creating a repository, changing the “Visibility” drop down field enables you to make an image public or private. Many organizations have accidentally set this field to “public”, exposing source code and other sensitive information.

DockerRepoScreenshot.png

Figure 1: The “Visibility” drop down field makes an image public or private

 

Recommendations

  1. Performing a simple search such as the one below with your organization’s or business unit’s names might identify some images that are publicly exposed: https://hub.docker.com/search/?isAutomated=0&isOfficial=0&page=1&pullCount=0&q=mycompany&starCount=0
  2. Train developers on security best practices, and educate them on the implications of inadvertently sharing internal Docker images.

Download a copy of the advisory here.

    

Subscribe to Email Updates

Recent Posts