Docker Hub遭到入侵,泄露19万用户敏感数据
近期,网络上曝出有未经授权人员访问了Docker Hub数据库,大约影响190000名用户的敏感信息。包括一些用户名和密码哈希值,以及GitHub和Bitbucket存储库的令牌。
根据官方上周末发送的安全通知,Docker于2019年4月25日发现有未经授权的访问者访问了Docker Hub的数据库。
在进行调查之后,确定该数据库包含大约190000个用户的敏感信息。这些信息包括用于Docker自动编译的GitHub和Bitbucket存储库的访问令牌以及一小部分用户的用户名和密码哈希值。
存储在Docker Hub中的GitHub和Bitbucket访问令牌允许开发人员修改项目代码,并自动编译成Docker Hub上的镜像。一旦未知第三方获得这些令牌,则可非法访问私有存储库中的代码,并任意修改。
如果攻击者利用这些令牌去部署含有恶意代码的镜像,则可能引发严重的供应链攻击,因为Docker Hub镜像通常被用于服务器配置和应用中。
虽然Docker声明他们已经撤销了所有可能泄露的令牌和访问密钥,但对于使用Docker Hub去自动编译的开发人员来说,检查他们的项目是否存在未授权访问非常重要。更糟糕的是,由于这些通知在周五晚上才发布,很多开发人员并没有在第一时间开始安全检查。
安全通知的全文如下,来自Ycombinator黑客新闻。
On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site.
We want to update you on what we've learned from our ongoing investigation, including which Hub accounts are impacted, and what actions users should take.
Here is what we’ve learned:
During a brief period of unauthorized access to a Docker Hub database, sensitive data from approximately 190,000 accounts may have been exposed (less than 5% of Hub users). Data includes usernames and hashed passwords for a small percentage of these users, as well as Github and Bitbucket tokens for Docker autobuilds.
Actions to Take:
- We are asking users to change their password on Docker Hub and any other accounts that shared this password.
- For users with autobuilds that may have been impacted, we have revoked GitHub tokens and access keys, and ask that you reconnect to your repositories and check security logs to see if any unexpected actions have taken place.
- You may view security actions on your GitHub or BitBucket accounts to see if any unexpected access has occurred over the past 24 hours -see https://help.github.com/en/articles/reviewing-your-security-log and https://bitbucket.org/blog/new-audit-logs-give-you-the-who-what-when-and-where
- This may affect your ongoing builds from our Automated build service. You may need to unlink and then relink your Github and Bitbucket source provider as described in https://docs.docker.com/docker-hub/builds/link-source/
We are enhancing our overall security processes and reviewing our policies. Additional monitoring tools are now in place.
Our investigation is still ongoing, and we will share more information as it becomes available.
Thank you,
Kent Lamb Director of Docker Support info@docker.com
BleepingComputer已尝试和Docker就此问题进行交流,但还没有收到回复。
本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场
来源:https://www.bleepingcomputer.com/news/security/docker-hub-database-hack-exposes-sensitive-data-of-190k-users/
最新评论