VMware Harbor CVE-2019-16097

What is Harbor?

Harbor is an open source docker registry by VMware. Harbor has many useful features such as vulnerability scanning, image replication, multi-tenancy, and more. More information can be found at goharbor.io.

What is CVE-2019-16097?

Harbor 1.7.0 through 1.8.2 contains a vulnerability in core/api/user.go that allows an attacker to create admin accounts via the POST /api/users API. Additional vulnerability information can be found at VMware under advisory id VMSA-2019-0015.

The Problem

I was running 1.7.0 and decided to upgrade to 1.9.0. Unfortunately I ran into an issue during the upgrade when following the provided upgrade instructions. Turning to Github for support I found issue 9146. The issue is in Chinese so I can’t confirm that it is exactly what I ran into but it was the closest I could find.

The Fix

First change directories to the location of your Harbor install and stop the service.

cd harbor
docker-compose down

Next copy your Harbor config file. Now is the time to also backup your Harbor database. Reference the Harbor documentation for this step.

cp /root/harbor/harbor.cfg /root/harbor_backup.cfg

Now you can upgrade to 1.8.3.

docker run -it --rm -v /root/harbor_backup.cfg:/harbor-migration/harbor-cfg/harbor.cfg -v /root/harbor/harbor.yml:/harbor-migration/harbor-cfg-out/harbor.yml goharbor/harbor-migrator:v1.8.3 --cfg up

Next you can add the following lines to the updated configuration file.

chart:
  absolute_url: disabled

Finally you can perform the upgrade to 1.9.0 following the upgrade guide. If all went as planned your Harbor instance should be running 1.9.0 and is no longer vulnerable to CVE-2019-16097.