How do the recent (August 26, 2014) Docker Hub Security disclosures affect RHEL customers?
Environment
Red Hat Enterprise Linux 7
Issue
On August 26, 2014 Docker Inc. disclosed that it had recently fixed several vulnerabilities in the Docker Hub that would allow attackers to modify the images of other users. How does this potentially affect users of docker on RHEL?
Resolution
These vulnerabilities were in the Docker Hub, the closed-source central registry run by Docker Inc. Docker Inc. have audited their repository records and found no evidence of any images being altered.
The docker-registry package is a separate technology from the platform used by Docker Hub and repositories hosted with this package were not affected by these vulnerabilities.
Red Hat's official images are not hosted on the Docker Hub but hosted by Red Hat using a completely different repository technology. Through an agreement with Docker, when users attempt to pull Red Hat images from the Docker Hub they are redirected to the Red Hat repository.
Again, there is no evidence these vulnerabilities were ever used to alter any images, Red Hat official images or otherwise. However, if users would like to avoid the Docker Hub, they may use the Red Hat repository directly by specifying it explicitly in their pull command. For example:
docker pull registry.access.redhat.com/rhel
This command will pull the image directly from Red Hat, skipping the Docker Hub. Users can also download Red Hat images directly on the Docker Images page.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
