Docker Registry is vulnerable to CVE-2013-0169 (LUCKY13) and CVE-2011-3389 (BEAST)

[gaby]

The current release of Docker Registry only support TLS1.0 and there's no way to change it. The PR #2808 added support for changing this but has never been included in a release. This PR was merged over a year ago.

Replicate:

Deploy Docker Registry using this:

docker run -d \
  --restart=always \
  --name registry \
  -v "$(pwd)"/certs:/certs \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
  -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
  -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
  -p 443:443 \
  registry:2

Tested using testssl.sh cli:

docker run --rm -ti drwetter/testssl.sh 10.0.2.15

Report:

 Testing protocols via sockets except NPN+ALPN 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)


**BEAST** (CVE-2011-3389) - TLS1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA - **VULNERABLE** -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)

**LUCKY13** (CVE-2013-0169) - potentially **VULNERABLE**, uses cipher block chaining (CBC) ciphers with TLS. Check patches

TLS 1, and TLS 1.1 are considered industry deprecated by now, yet Docker Registry provides no way of mitigating this issue. At a minimum TLS1.2 should be default.

[dariusj18]

I'm surprised this has been hanging out there for so long when it is a pretty major security requirement.

[gaby]

@dariusj18 Same... All they have todo is make a new release with PR #2808 maybe by 2022

[dariusj18]

I'm going to need to either switch my registry to a different product, or forgo having a local registry at all because of this.

[gaby]

CC. #2807 #3169

[gaby]

cc. @caervs @manishtomar @gregrebholz @thaJeztah

[gaby]

CC. #3359

[DrPyser]

Hi.

Is the REGISTRY_HTTP_TLS_MINIMUMTLS setting supported and supposed to work in latest release(dockerhub's registry:2 / registry:2.7 )?

[milosgajdos]

Is the REGISTRY_HTTP_TLS_MINIMUMTLS setting supported and supposed to work in latest release(dockerhub's registry:2 / registry:2.7 )?

This is not supported in either of those releases.

[DrPyser]

Okay, thanks.
Is there an available release that does support it? Is there a way to address the common security requirement to disable support for TLS1.0/1.1?

[DrPyser]

How come the official docker documentation include this configuration option if this is not supported by the latest release?

https://docs.docker.com/registry/configuration/#tls

[lefranco6910]

I can't comment why the official documentation includes configuration that does not seem to be supported by the latest release. I can simply confirm I experienced the same situation than you all. For you information, the "development" image works better. TLS 1.0 and 1.1 are gone. And, this happens without configuring anything. It seems to be the default behavior. Give it a try. I tested the registry with 2.7.0-272-gc63b5805. Docker pull/push works just fine and security vulnerabilities related to TLS are now fixed.

[DrPyser]

Thanks, I'll try that!

[gaby]

@lefranco6910 Using a development image seems like a hack. I still don't understand why the documentation doesn't match the actual releases.

[gaby]

Maybe in 2022 they care about Security, issue still valid

[exe-r]

Tried building it manually from the 2.8 release branch on the github repo and its the only version I found that respects the minimumtls config, anything else just discards it.

[milosgajdos]

Build from main should also respect it. There will be a proper 2.8 soon -- the current 2.8 release is a pre-release; The 2.7.x releases will be deprecated this year.

[exe-r]

Build from main should also respect it. There will be a proper 2.8 soon -- the current 2.8 release is a pre-release; The 2.7.x releases will be deprecated this year.

@milosgajdos I tried 2.7.1 from docker hub which I guess are aligned with the 2.7 release branch, but still it did not respect the minimumtls value. Should I try manually build from main? any differences with the docker hub version ?

[milosgajdos]

@milosgajdos I tried 2.7.1 from docker hub which I guess are aligned with the 2.7 release branch, but still it did not respect the minimumtls value. Should I try manually build from main? any differences with the docker hub version ?

Yes, all the tagged images are aligned with GH branches, hence you'll have no luck with those.
There is 2.8.0-beta.1 tag on Hub, though.

The beta 2.8.0 pre-release also has an official image available (see here)

Finally, if you'd like a Docker image builld off main without manually building the binary yourself, the image gets pushed to the edge tag (see here).

[exe-r]

@milosgajdos I tried 2.7.1 from docker hub which I guess are aligned with the 2.7 release branch, but still it did not respect the minimumtls value. Should I try manually build from main? any differences with the docker hub version ?

Yes, all the tagged images are aligned with GH branches, hence you'll have no luck with those. There is 2.8.0-beta.1 tag on Hub, though.

The beta 2.8.0 pre-release also has an official image available (see here)

Finally, if you'd like a Docker image builld off main without manually building the binary yourself, the image gets pushed to the edge tag (see here).

Thanks for the great info @milosgajdos. Will give it a try

[gaby]

I can confirm that this issue was fixed by #3552 Thank you! @milosgajdos