Background

We received the following email from Docker, Inc. on 2020-01-29:

On January 21, 2020 a vulnerability was discovered on Docker Hub that impacted a limited number of accounts representing less than 1% of total Docker Hub accounts. The vulnerability potentially allowed an authenticated Docker Hub user unauthorized access to other Docker Hub users’ autobuild configuration data within a public repository, including any secrets users may have stored inside autobuild environment variables. No autobuild configuration data within private repositories was impacted by this vulnerability. Upon discovery, we acted quickly to intervene and the vulnerability has been remediated as of January 23, 2020.

We recommend you take the following action: If an environment variable in your autobuild configuration within a public repository contains a secret, please rotate this key as soon as possible.

Impact

We store a SSH private key in the Docker Hub autobuild configuration for the jupyter/docker-stacks . A post Docker Hub build hook uses this key to push updates to https://github.com/jupyter/docker-stacks/wiki after image build completion. GitHub requires this key to have read/write access to the entire jupyter/docker-stacks GitHub project in order to push updates to the wiki. Therefore, the key could be used to push code to the git repository itself.

We see no evidence that the key was used in this manner.

Patches

We rotated the SSH deployment key on 2020-01-29. The old key which may have been compromised is no longer honored in the jupyter/docker-stacks account.