On the evening of September 6th, a vulnerability in the App Center repository server became known that allowed Docker images to be manipulated for Docker based apps. The vulnerability was in the Docker registry for the Univention App Center and allowed anonymous push of Docker images. The problem was fixed the following day by locking the anonymous push again.
The Univention Docker registry is part of the App Center repository and download source for the Docker based apps in the App Center. An anonymous push means that a potential attacker could upload their own Docker images to the registry or replace existing images and manipulate apps. So far, we have no indication that the vulnerability has been exploited and apps have been manipulated.
The reason for the vulnerability is a misconfiguration of the Univention Docker registry. The App Center team is currently analyzing whether pushes have occurred outside Univention. It also ensures that the images provided match the originals and are not tampered with. This work is still in progress.
For administrators of UCS environments there is currently no need for action.
In order to rule out a future configuration that allows a new anonymous push, an automated test has already been implemented that regularly checks the Univention Docker Registry.
We will report on the progress of the work here in the blog.