Docker Hub still hosts dozens of Linux images with the XZ backdoor

Docker Hub still hosts dozens of Linux images with the XZ backdoor (www.bleepingcomputer.com)
from tonytins@pawb.social to cybersecurity@infosec.pub on 12 Aug 19:14
https://pawb.social/post/29681113

The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk.

[…]

Many CI/CD pipelines, developers, and production systems pull images directly from Docker Hub as base layers for their own containers, and if those images are compromised, the new build inherits the flaw or malicious code.

#cybersecurity

threaded - newest

baod_rate@programming.dev on 13 Aug 15:25 collapse

Debian says they intentionally opted not to remove these images from Docker Hub and to leave them as historical artifacts, telling users to only use up-to-date images and not old ones.

The maintainers made this decision as they believe the requirements for exploitation are unlikely, such as requiring sshd installed and running on the container, the attacker having network access to the SSH service on that container, and using a private key that matches the backdoor’s trigger logic.

Idk that seems pretty reasonable to me. I think I’ve eojly ever needed to enable ssh on a container once