关注微信公众号
第一手干货与资讯
加入官方微信群
获取免费技术支持
We would like to quickly explain and address the recent metasploit module, which was created to exploit Rancher servers and Docker hosts. This is not a security issue because it only works in the following two scenarios:
While Rancher does not require you to enable authentication, you should always enable it if you are deploying Rancher in an untrusted environment (e.g., publicly exposed to the internet). Instructions can be found here. Rancher currently supports GitHub, SAML, LDAP/AD, Azure AD, OpenLDAP, and local authentication using our database.
This is no different from having your username and password compromised, so please make sure you API keys are stored securely. Rancher provides you an option to disable and recreate the API keys that have been compromised. In Rancher 2.0, we will be further enhancing security by requiring authentication to be enabled by default. Access to host bind mounts (what is exploited here) will be privileged, and require that users be granted access. Stay tuned for more information!