Alpine Linux Docker Container Poisoning

Summary

Alpine Linux, the container Linux distrubution upon which Xibo’s Docker containers are based has said there is a flaw in the way their package manager (apk) works. This flaw could potentially allow an attacker to inject their own code in to the container at build time.

We have no evidence to suggest that any Xibo containers have been “poisoned” in this way, however, we have issued an updated 1.8.11 CMS container and 0.7 XMR container as a precaution.

If you’re using Xibo on our Cloud service, then you don’t need to take any action. You are already protected, regardless of the version you are running.

If you are running Xibo with Docker, it's our recommendation that you upgrade to the 1.8.11 CMS container and 0.7 XMR container released today (15th September 2018).

If you are already on 1.8.11, then you will need to issue a docker-compose pull command, followed by a docker-compose up -d command (coupled with any -f switches you normally use). See below for further examples.

If you're on an earlier version of the Xibo CMS, you can simply upgrade to 1.8.11 in the normal way.

Overview

You may have read in the news that the Alpine Linux distribution, upon which many Docker containers are based, has reported that their apk package manager is potentially vulnerable to a “poisoning” attack where an attacker could use a man-in-the-middle attack to inject code in to a container during the build process.

Xibo uses Alpine as the basis for its Docker containers, as is common through the industry as Alpine is specialised for that task. Xibo's Docker containers are built directly by Docker's Cloud service, an independent trusted third party, so you have total transparency as to what is included in them.

The Vulnerability

According to reports, an attacker with access to the network in the build environment could potentially poison a container during the build process by injecting their code in to the Alpine package manager and it would include that code inside the resulting container.

Alpine have published an updated version that prevents that happening, and have rebuilt their base containers upon which our containers are based.

Our Response

We have no evidence to suggest that the Xibo containers have been poisoned in this way, however, as a precaution, we have decided to rebuild the CMS container for 1.8.11 and XMR container for 0.7 to make available a version with the fix provided by Alpine Linux included.

Our recommendation therefore if you're running with Docker is to ensure you are running the 1.8.11 container that we have released today (September 15th 2018).

If you're running an earlier version of Xibo, you can simply upgrade in the normal way. If you're running 1.8.11 already, you will need to manually pull the new version of the container and then up the containers again:

docker-compose pull
docker-compose up -d

If you normally use a -f switch (eg -f cms_custom-ports.yml) don't forget to add that in:

docker-compose -f cms_custom-ports.yml pull
docker-compose -f cms_custom-ports.yml up -d

Full details of the original vulnerabilty can be found here:
https://justi.cz/security/2018/09/13/alpine-apk-rce.html
https://www.theregister.co.uk/2018/09/15/alpine_linux_bug/