Response to Docker security breach

a-h · April 27, 2019, 1:39pm

Hi folks,

I notice that Docker Hub has been compromised (https://news.ycombinator.com/item?id=19763413)

CircleCI publishes a number of containers to Docker Hub such as the CircleCI MySQL image, and I notice that they’ve been updated during the likely breach period and I don’t see any matching announcement in https://discuss.circleci.com/c/announcements/l/latest

Also, there’s no matching commits that should trigger a new image that I can see within Github.

Just wanted to find out whether members of your organisation with push access to Docker were affected by the breach and where the image changes have come from.

Thanks,
Adrian.

a-h · April 27, 2019, 1:40pm

The Github repo is at https://github.com/circleci/circleci-images/commits/staging - I was unable to post more than two links in my first post because it’s the first time I’ve used the forum.

Example Docker images are at https://hub.docker.com/r/circleci/mysql

FelicianoTech · April 28, 2019, 6:25pm

Hi,

Thank you for reaching out about this important issue. I don’t believe there is anything to be concerned about at the moment. Our Docker images are built fresh every 24 hours so they’ve already been built from scratch since the Docker Hub incident.

That being said, our Security Team will look into this to ensure that everything on our end is indeed safe and nothing malicious has occurred do to the upstream incident.

Topic		Replies	Views
MySQL v5.7 Docker Image Issue (October 16th, 2019) CircleCI Images	8	3249	October 26, 2019
Docker image ID mismatches between Circle 1.0 and Hub since early June Feedback & Bug Reports docker	1	717	June 18, 2018
Ruby v2.4.2 and Ruby v2.3.5 CircleCI 2.0 Images Build Environment	1	1033	June 18, 2018
Docker 1.9.1 is available Build Environment docker	12	8621	June 18, 2018
Docker image go and cmake Build Environment docker	2	1540	November 21, 2018

Response to Docker security breach

Related topics