"Amazon ECR Public Gallery Flaw Could Have Wiped or Poisoned Any Image"

A critical security flaw in the Amazon Elastic Container Registry (ECR) Public Gallery could have enabled attackers to delete any container image or inject malicious code into images from other Amazon Web Services (AWS) accounts. The Amazon ECR Public Gallery is a public repository of container images that are used to share ready-to-use applications and popular Linux distributions such as Nginx, EKS Distro, Amazon Linux, CloudWatch agent, and Datadog agent. A Lightspin security analyst discovered a new flaw in the ECR Public Gallery that allows users to modify other users' existing public images, layers, tags, registries, and repositories by abusing undocumented Application Programming Interface (API) actions. On November 15, 2022, the researcher reported the vulnerability to AWS Security, and Amazon fixed it in less than 24 hours. Although there is no evidence of this flaw being exploited in the wild, threat actors could have used it in large-scale supply chain attacks against many users. The top six most downloaded container images in ECR Public Gallery have had over 13 billion downloads, indicating that any malicious injection could have resulted in "out-of-control" infections. According to Lightspin, 26 percent of all Kubernetes clusters have at least one pod that pulls an image from the ECR Public Gallery. Therefore, the consequences could have been significant. This article continues to discuss the potential exploitation and impact of the severe security flaw discovered in the Amazon ECR Public Gallery. 

Bleeping Computer reports "Amazon ECR Public Gallery Flaw Could Have Wiped or Poisoned Any Image"