An issue has been reported which effects all versions of anchore-engine from 0.1.1 onward, where an authenticated user can construct input to the image add and repo add operations that is ultimately passed through to a shell-out command in the anchore-engine container.
While this exploit requires authentication the input can be constructed in a way that results in an arbitrary command being executed within in the anchore-engine container.
Anchore recommends that all users upgrade immediately to Anchore Engine 0.2.1
The Anchore Engine and Anchore CLi version 0.2.1 corrects the following bugs:
- Security fix for github issue#36 anchore-engine allows authenticated user to issue malformed input on image/repo adds, allowing command execution on the engine host.
Many thanks to Cameron Lonsdale for discovering and reporting the issue.
- Fix issue where manifest v1 schema based images could not be fetched by imageId
- Fix issue where NPM feed data fails to sync due to database column size limitations
Upgrading the Anchore Engine
The regular Anchore Engine upgrade procedure can be performed to upgrade the Anchore Engine to version 0.2.1
The Anchore CLI has not been upgraded - the latest release remains 0.2.0