Docker recently announced Docker Hub had a brief security exposure that enabled unauthorized access to a Docker Hub database, exposing 190k Hub accounts and their associated GitHub tokens for automated builds. While initial information led people to believe the hashes of the accounts could lead to image:tags being updated with vulnerabilities, including official and microsoft/ org images, this was not the case. Microsoft has confirmed that the official Microsoft images hosted in Docker Hub have not been compromised.
Consuming Microsoft images from the Microsoft Container Registry (MCR)
As a cloud and software company, Microsoft has been transitioning official Microsoft images from being served from Docker Hub, to being served directly by Microsoft as of May of 2018. To avoid breaking existing customers, image:tags previously available on Docker Hub continue to be made available. However, newer Microsoft images and tags are available directly from the Microsoft Container Registry (MCR) at mcr.microsoft.com. Search and discoverability of the images are available through Docker Hub, however docker pull, run and build statements should reference mcr.microsoft.com. For example, pulling the windows-servercore image:
docker pull mcr.microsoft.com/windows/servercore
Official microsoft/ org images follow the same format.
Microsoft recommends pulling Microsoft official images from mcr.microsoft.com.
Recommended best practices
Leveraging community and official images from Docker Hub and Microsoft are a critical part of today’s cloud native development. At the same time, it’s always important to create a buffer between these public images and your production workloads. These buffers account for availability, performance, reliability and the risk of vulnerabilities. Regardless of which cloud you use, or if you are working on-prem, importing production images to a private registry is a best practice that puts you in control of the authentication, availability, reliability and performance of image pulls. For more information, see Choosing A Docker Container Registry.
Automated container builds
In addition to using a private registry for your images, we also recommend using a cloud container build system that incorporates your companies integrated authentication. For example, Azure offers Azure Pipelines and ACR Tasks for automating container builds, including OS & .NET Framework patching. ACR also offers az acr import, for importing images from Docker Hub and other registries, enabling this buffer.
Microsoft remains committed to the security and reliability of your software and workloads.