VMware Harbor Registry is for store and distribute container images, It is an enterprise class registry server. By submitting a malicious message to Harbor registries, attackers will gain control of them. Non-admin users can create admin accounts in Harbor 1.7.0 or 1.8.2 by using the POST /api/users API; this is allowed by core/api/user.go.
Impacted Products
- VMware Cloud Foundation
- VMware Harbor Container Registry for PCF How to determine if the product has been threatened:
- You are using database authentication.
- You’ve allowed self-registration.
Mitigation / Precaution
- If your product relies on Harbor, you must immediately update to 1.7.6/1.8.3.
- In your Harbor Container Registry, disable self-registration for consumers.
- Instead of using DB authentication, use a different identity provider (such as an LDAP store).
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.