Docker Hub rate limits

Docker Hub will begin pull rate limits starting November 1, 2020. This may impact your Pro projects in several ways:

  • The primary impact will be for new projects that are pulling from Docker Hub for the first time
  • Projects that are not using caching or are built infrequently could also be impacted

We encourage you to configure caching on your Pro projects. This gives you faster builds and after the initial build your project does not have to pull from Docker Hub each time, but rather uses our internal caching system.

Docker is introducing the following limits based on your Docker account:

  • Free plan – anonymous users: 100 pulls per 6 hours
  • Free plan – authenticated users: 200 pulls per 6 hours
  • Pro plan – unlimited
  • Team plan – unlimited

If you encounter Docker Hub rate limit issues with your Pro projects, you can configure Docker Hub authentication. If you anticipate higher usage than what the free Docker plan offers, consider upgrading your Docker plan to unlimited pulls.

Update to CodeShip Basic

CodeShip Basic has several updates:

  • PHP versions updated to 7.2.34, 7.3.23 and 7.4.11

  • Python versions updated to 3.5.10, 3.6.12, 3.7.9, and 3.8.6

  • Python 3.9.0 added

  • Ruby 2.7.2 added

  • JRuby updated to 9.2.13.0

  • Google Chrome updated to 86

  • ChromeDriver updated to 86.0.4240.22

Legacy GitHub OAuth app removed

We removed the legacy GitHub OAuth integration from GitHub.

This integration was discontinued from active use in 2019, however remained configured for many repositories.

We do not expect any customer impact, however you may notice entries in your GitHub audit trail for the integration being removed from older projects.

In the unlikely case you are impacted, then the two most likely scenarios are described below.

If you experience a failure to trigger builds:

Go to GitHub and ensure the app is correctly configured - https://github.com/apps/codeship/installations/new

If you find your CodeShip builds are not able to checkout code:

Then follow the instructions for resetting the SSH key - https://documentation.codeship.com/general/projects/project-ssh-key

Critical Security Notification

Dear CodeShip users,

We are reaching out to inform you of additional information we have uncovered as a result of our continuing investigation of the recent GitHub breach. To provide maximum transparency, we are reporting on the results of our investigation, the impact on users, actions you must take to protect yourself/your organization, and actions we will take to strengthen our security processes going forward.

On Wednesday, September 16, 2020, CloudBees was notified by GitHub of suspicious activities targeting CodeShip business accounts connected to GitHub via the CodeShip GitHub app and now deprecated CodeShip OAuth tokens. CloudBees immediately initiated an investigation conducted by our security and engineering teams, and on September 27, we identified additional evidence of malicious activity against a failover CodeShip database. On September 29, we uncovered evidence to indicate that a malicious actor had access to this failover instance during the period of June 2019 to June 2020. At this time and to the best of our knowledge, we have no evidence of malicious activity or attempts within CodeShip systems since June 2020.

What type of data was affected?

The impacted accounts are those of CodeShip users. No other products or accounts were affected and CodeShip is in no way integrated with other CloudBees products or systems.

For all CodeShip users:

  • CodeShip users hashed account passwords, one-time password (OTP) recovery codes and the OTP secret keys used to seed two-factor authentication may have been exposed.

For CodeShip Basic users:

  • Any information contained in CodeShip users’ pipelines may have been exposed. This includes scripts, environment variables, access tokens and other similar data.

For CodeShip Pro users:

  • AES encryption keys may have been exposed.

Business contact information for invoicing purposes such as company contact name, company name, VAT number, postal address, phone number also may have been exposed. No payment information, such as bank account numbers or credit card numbers was exposed. No other CloudBees product other than CodeShip was impacted. Also, the logging system was not accessed for any customers.

Steps you should take

Although at this time we have no evidence that the data potentially exfiltrated has been used, all CodeShip users may have been affected (including free, Basic and Pro accounts) and should take the following steps:

  • Immediately rotate any keys or other secrets for cloud providers, third party tools or anything else that you used in your CodeShip pipelines.
  • If using CodeShip Pro, rotate your AES key and re-encrypt your secrets.
  • Immediately identify any other sensitive information that is stored in your pipelines and replace them within your pipelines and on any external systems.
  • Determine whether any of your systems accessible from CodeShip have experienced unauthorized access, by contacting your provider or carefully review your access records.
  • Verify that the source code held in repositories that are linked to your CodeShip account have retained their full integrity.
  • Reset your CodeShip 2FA.

At this time and to the best of our knowledge, we have no evidence of malicious activity or attempts within CodeShip systems since June 2020. We are continuing to monitor the situation.

Steps we are taking

As soon as we were notified by GitHub on September 16, we proceeded to rotate all our applications' internal secrets and rebuilt all our AWS AMIs. We are continuing to scrutinize our AWS security logs to monitor for suspicious activity, such as outbound connections to known malicious IPs. To date, we have not found any such activity.

We want you to be assured that we are taking steps to increase the security strength of the CodeShip product, including but not limited to:

  • Validation that our product threat modeling and large-scope security reviews are systematically implemented.
  • Validation that the application of production security standards to all operational processes and artifacts is systematically implemented.
  • Enhancement of strict restrictions on access to production data and strict segregation of sensitive data.
  • Improvement of existing SIRT processes to ensure faster and better forensic investigation.

Who to contact

For more information, please visit our CodeShip status page which we will continue to update with any new developments.

If you still have questions, please contact security@codeship.com.

Last but not least, I’d like to apologize for the impact this is having on you. In the decade that CloudBees has been operating SaaS applications, we have always taken full responsibility for our products and we do so today. Please be assured that we will do everything we can to prevent this from happening again.

Onward,

Sacha Labourey

CEO

CloudBees

Reauthenticate CodeShip with GitHub

On Wednesday September 16, 2020, CloudBees was notified by GitHub of suspicious activities targeting certain CodeShip accounts connected to GitHub via the CodeShip GitHub app and now deprecated CodeShip OAuth tokens. If your GitHub credentials are impacted, you already received or will shortly receive a notification from GitHub informing you of this incident.

The activities point to tokens being used to access the “/user/repos” GitHub API endpoint, which is used to list users’ GitHub repositories, including private repositories. It is possible your repositories were cloned, so please contact GitHub support as soon as possible.

As the suspicious activities involve user tokens, as a first step in response we revoked all GitHub related tokens and SSH keys to keep all accounts protected. You need to reauthenticate CodeShip with GitHub immediately to avoid a service impact.

Action Required

We are continuing to investigate the underlying issue and will update our blog to provide more information as soon as we better understand any additional implications and potential root causes.

Thank you.

Update to CodeShip Basic

CodeShip Basic has several updates:

  • PHP versions updated to 7.2.33, 7.3.22 and 7.4.10

  • Python versions updated to 3.6.11, 3.7.8 and 3.8.5

  • Google Chrome updated to 85

  • ChromeDriver updated to 85.0.4183.87

Update to CodeShip Basic

CodeShip Basic has several updates:

  • PHP versions updated to 7.2.32, 7.3.20 and 7.4.8

  • Google Chrome updated to 84

  • ChromeDriver updated to 84.0.4147.30

Update to CodeShip Basic

CodeShip Basic has several updates:

  • PHP versions updated to 7.3.19 and 7.4.7

  • Python versions updated to 2.7.18 and 3.8.3

Update to CodeShip Basic

CodeShip Basic has several updates:

  • PHP versions updated to 7.2.31, 7.3.18 and 7.4.6

  • Ruby 2.4.10, 2.5.8, 2.6.6 and 2.7.1 added

  • JRuby updated to 9.2.11.1

  • Google Chrome updated to 83

  • ChromeDriver updated to 83.0.4103.39

Update to CodeShip Basic

CodeShip Basic has several updates:

  • PHP versions updated to 7.2.29, 7.3.16 and 7.4.4

  • Python versions updated to 3.7.7 and 3.8.2