CVE-2022-31668
📋 TL;DR
This vulnerability in Harbor allows authenticated users to modify p2p preheat policies in projects they shouldn't have access to. Attackers can exploit improper permission validation to tamper with content distribution configurations. Organizations using Harbor for container registry management are affected.
💻 Affected Systems
- Harbor
📦 What is this software?
Harbor by Linuxfoundation
Harbor by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Malicious actors could disrupt container image distribution across multiple projects, potentially causing service outages or distributing compromised images to production environments.
Likely Case
Unauthorized modification of p2p preheat policies could degrade performance or cause inconsistent image distribution across Harbor projects.
If Mitigated
With proper network segmentation and strict access controls, impact would be limited to unauthorized policy changes within the Harbor instance.
🎯 Exploit Status
Exploitation requires authenticated access to Harbor but minimal technical skill to craft malicious API requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Harbor 2.5.3 and later
Vendor Advisory: https://github.com/goharbor/harbor/security/advisories/GHSA-3wpx-625q-22j7
Restart Required: Yes
Instructions:
1. Backup Harbor configuration and database. 2. Upgrade to Harbor 2.5.3 or later. 3. Restart Harbor services. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Disable p2p preheat functionality
allTemporarily disable p2p preheat policies until patching can be completed
# Edit Harbor configuration to disable p2p preheat
# Configuration location varies by deployment method
Restrict API access
linuxImplement network controls to restrict access to Harbor API endpoints
# Use firewall rules to limit API access
# Example: iptables -A INPUT -p tcp --dport 443 -s trusted_networks -j ACCEPT
🧯 If You Can't Patch
- Implement strict role-based access control (RBAC) to limit which users can modify policies
- Monitor and audit all p2p preheat policy modification attempts in logs
🔍 How to Verify
Check if Vulnerable:
Check Harbor version via web interface or API. Vulnerable if version is between 2.0.0 and 2.5.2 inclusive.Check Version:
curl -k https://harbor-host/api/v2.0/systeminfo | grep "harbor_version"Verify Fix Applied:
Verify Harbor version is 2.5.3 or later and test that authenticated users cannot modify p2p policies in unauthorized projects.📡 Detection & Monitoring
Log Indicators:
- Unauthorized PATCH requests to /api/v2.0/projects/{project_name}/preheat/policies/{policy_id}
- Failed permission validation logs for p2p policy updates
Network Indicators:
- Unusual PATCH requests to p2p preheat policy endpoints from unauthorized users
SIEM Query:
source="harbor" AND ("PATCH /api/v2.0/projects" AND "preheat/policies") AND NOT user_role="projectAdmin"