Important Note:

An issue has been reported which effects all versions of anchore-engine from 0.1.1 onward, where an authenticated user can construct input to the image add and repo add operations that is ultimately passed through to a shell-out command in the anchore-engine container. 

While this exploit requires authentication the input can be constructed in a way that results in an arbitrary command being executed within in the anchore-engine container. 

Anchore recommends that all users upgrade immediately to Anchore Engine 0.2.1

Bug Fixes

The Anchore Engine and Anchore CLi version 0.2.1 corrects the following bugs:

  • Security fix for github issue#36 anchore-engine allows authenticated user to issue malformed input on image/repo adds, allowing command execution on the engine host.
    Many thanks to Cameron Lonsdale  for discovering and reporting the issue.

  • Fix issue where manifest v1 schema based images could not be fetched by imageId

  •  Fix issue where NPM feed data fails to sync due to database column size limitations

Upgrading the Anchore Engine

The regular Anchore Engine upgrade procedure can be performed to upgrade the Anchore Engine to version 0.2.1

Anchore Cli

The Anchore CLI has not been upgraded - the latest release remains 0.2.0