Self-hosters left vulnerable to XSS vuln due to second-class Docker support

I have shut down my site, rather than leave it vulnerable.

i appreciate those details but why are the maintainers just not updating the dockerhub as quickly?

The Docker Hub image maintainers are volunteers. They may be busy at work.

Depending on volunteers to be on standby at a moment’s notice is not a recipe for security. For critical vulns, it’s common for open source projects to privately coordinate with major packagers so that packages with fixes are available when the vulnerability is disclosed.

The situation can change if the exploit is known be in use in the wild. Then the priority may shift to getting a fix out in any form, so at least some people with know-how can patch their systems even if official packages are not released yet.

Should be Ghost team directly. Such a shame.

I disagree. We are a community because we want to support each other efforts.

Thanks a lot @markstos for alerting me, your collaboration spirit and your kind words. Además tu español es muy bueno!

Here’s public disclosure of the latest SQL injection vuln. @curiositry Note that it describes a temporary mitigation that can be implemented with a reverse proxy that you may have running in front of Ghost. An LLM could help with the specific syntax needed for whichever product you might be using a reverse proxy.

Impact

A SQL injection vulnerability existed in Ghost’s Content API that allowed unauthenticated attackers to read arbitrary data from the database.

Vulnerable Versions

This vulnerability is present in Ghost v3.24.0 to v 6.19.0.

Patches

v6.19.1 contains a fix for this issue.

Workarounds

There is no application-level workaround. The Content API key is public by design, so restricting key access does not mitigate this vulnerability.

As a temporary mitigation, a reverse proxy or WAF rule can be used to block Content API requests containing slug%3A%5B or slug:[ in the query string filter parameter. Note that this may break legitimate slug filter functionality.

More info on what this is waiting on here:

OK, so I’m confused about why the Docker version is considered “not official” when it’s listed as a preview in the official Ghost docs themselves:

IMO, if this is not managed by Ghost, Ghost shouldn’t be putting it in the docs. In the meantime, I’ve taken down my website waiting for Docker to be up-to-date. Which isn’t a great look for me or for Ghost, frankly.

Looks like @tianon has reviewed and merged!

I can see there’s a build in progress, here:

EDIT: While writing this it looks like there might be movement on the revised docker image, so if it’s available shortly, it may be best to wait for that.

Original post:

For my site, which does not appear to have integrations or other elements that use the following types of API requests:

Content API requests containing slug%3A%5B or slug:[

I’ve kept my original Caddyfile{$DOMAIN}section at the top, except added the following under ${DOMAIN}, before the other rules that start with import snippets/Logging

        # GHSA-w52v-v783-gw97 mitigation:
        # Block Content API requests where the *decoded* filter contains "slug:["
        @ghost_slug_filter_block {
                path /ghost/api/content/*
                expression `{query.filter}.contains("slug:[")`
        }
        handle @ghost_slug_filter_block {
                respond 403
        }

and then restarted the ghost-caddy-1 container.

NOTE: Please be aware that everyone’s environment is different, so while this appears to work for me, it may not for you. I offer no guarantees it works well for me, you, or anyone.

Fix is live:

Thanks for sharing your snippet @mbdmbd. I would have done the same thing with my Nginx reverse proxy, I just didn’t have time to fuss with it today, and didn’t want to deploy a fix that I hadn’t properly tested.

It seems to be partially live. The page is reporting both that there are 6.19.1* images available, but also on the right hand side that the latest image is four days old. When I do a docker compose pull it still seems to be getting the older image (6.18.2) for me:

IMAGE ID DISK USAGE CONTENT SIZE EXTRA
ghost:6-alpine 2ec674f6f4cb 1.25GB 213MB U

And when I try and pull the 6.19.1 directly it fails:

$ docker pull ghost:6.19.1-alpine
Error response from daemon: manifest for ghost:6.19.1-alpine not found: manifest unknown: manifest unknown

I have no doubt it’s coming soon, but it doesn’t appear to be here quite yet…

Looks like it’s live for me now too

I just got the fix! I still see the “four days old” but docker pulled the new image.

I’m really appreciative that the Docker image was just updated, thank you to the folks who pulled all this together!

I feel like if Docker is a “community-maintained” installation method and not officially supported by Ghost, the docs should really reflect that. I read through the entire installation doc again tonight and I don’t see anywhere it says it’s “community-maintained”. In fact, it says “we are previewing” and “we’re starting to build some features as separate services”, which absolutely led me to believe that Ghost was supporting this method of installation. I feel strongly that the Docker image should be maintained by Ghost in a formal capacity, or the docs should be modified to reflect that Docker is a purely community-maintained installation method.

I agree with @veronicaexplains, if the official method is not really kept up to date with releases, it does make you wonder how supported self-hosting really is.

And for me, since v6 this is how it feels. You can self host (and thank you for that, really!) but it has not been the smoothest experience. Docker images being behind on security fixes is one thing, but I also find it hard sometimes to know what works differently when you self host. Like the ActivityPub and PubSub situation, I was not sure what that meant for us.

I think most of us would just like to know where we stand. Even if something is not fully supported, just knowing that would already help a lot.

There’s an official post in the forum about this now here:

It includes this statement:

We’re actively working on improving when and how we release security updates to the Docker image.

Otherwise it does not contain new information.

Hi everyone

Thanks for raising this, and I’m really sorry we dropped the ball here. There have been multiple failures on our part that have led to a situation that falls well short of our standards.

• Recommending Docker usage without the Ghost core team maintaining the Docker image
• Releasing a security update without providing an update path via the recommended Docker image
• Releasing a security disclosure without there being sufficient time for anyone to update
• Sending a confusingly formatted, unhelpful security update notification by email

I want to own and acknowledge that this is not good enough, and I want to share what we’re doing about it:

First - until now, our developer tooling and release process has been a shared responsibility between our engineering teams. That worked fine for a long time while Ghost was smaller, but it no longer works, today. The surface area is too large, and it needs to be someone’s fulltime job.

As a result, we’re immediately hiring for (two) fulltime platform engineering positions. If you know anyone who might be a good fit, please send them our way.

Second - the Ghost Docker image will become the official first-class way to run Ghost, and it will be supported, maintained, and released by the Ghost core team. That will be one of the first projects we ask new platform engineers to work on.

It’s not going to happen overnight, it will take some time, but we will get it done.

Until we complete that transition, we will coordinate any future security releases and make sure there is a Docker upgrade path immediately available - and that the disclosure of security issues is better communicated, with time to complete updates before publishing the details of the issue.

We’ve made (and will continue to make) changes to our incident response and security release processes to do better, and make sure we don’t repeat the same mistakes in the way we have here.

The responsibility for this lies squarely with me. I haven’t done a good job of prioritizing this work and the resources needed to do it.

I’m going to put that right.

Hi @John thanks for your feedback and all the work you and the team are doing. I’m sure you’ll achieve the goals and even more.

Please consider our interest in collaborating and helping as a community. I would personally love to get involved as a volunteer contributor.

Regards!

As a new Ghost user, thanks for putting this out there. Looking forward to seeing how this shapes up. When the Docker installation is out of preview, I plan to cover it both on my blog and via video.

I appreciate all of the work team Ghost is doing, as well as the Docker maintainers and the community for helping each other navigate all of this!