TABLE OF CONTENTS


Applicability

  • Aqua Platform SaaS Edition, Workload Protection module
  • Aqua Platform Self-Hosted Edition


Symptoms

Error:

"connection refused or address does not exist"


Causes

As a result of implementing new mechanisms in Aqua to prevent "SSRF attack vulnerability through Image Registries" attacks, some customers may experience problems connecting to Docker API V2 type registries.

-From Aqua version 2022.4.114 onwards, registries using known malicious IP addresses, but also loopback (127.0.0.0 and 128.0.0.0) and private IP addresses (in ranges 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16) will be blocked when you try to add them (Administration -> Integrations -> Image Registries), with:


Error:

"connection refused or address does not exist"




"authenticate_registry" "Failed getting /v2/"

In console log:

2022-08-24 21:41:11.628 ERROR Failed getting /v2/ {"url": "<REGISTRYURL>", "error": "response blocked", "errorVerbose": "response blocked\nbitbucket.org/scalock/server/common/libregistry/v2.(*V2).AuthenticateNewRegistry\n\t/go/src/bitbucket.org/scalock/server/common/libregistry/v2/v2.go:194\nbitbucket.org/scalock/server/common/libregistry/v2.New\n\t/go/src/bitbucket.org/scalock/server/common/libregistry/v2/v2.go:166\nbitbucket.org/scalock/server/common/libregistry.NewWithType\n\t/go/src/bitbucket.org/scalock/server/common/libregistry/libregistry.go:147\nbitbucket.org/scalock/server/common/libregistry.ValidateRegistrySteps.func1\n\t/go/src/bitbucket.org/scalock/server/common/libregistry/libregistry.go:237\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1571"}
Generic


This includes whether a hostname or FQDN is used in the registry definition. Aqua will get the IP address that corresponds to this and check this.

Solutions

To disable this check the console needs to be deployed with the variable below:

AQUA_BLOCK_REGISTRY_SSRF=0
Generic


Tips and Tricks

Problems that may occur after using the AQUA_BLOCK_REGISTRY_SSRF variable:


Sometimes after applying the solution mentioned above, some customers may see the below error related to the Docker API the customer is using.


2022-08-30 15:10:12.299  ERROR  Failed processing scan job  {"registry": "DEV2", "image": "agency:24.0-release.5-c86bdf9c", "job ID": "58c5a032-c6c4-4a5a-8ab9-6beb336eef1c", "error": "failed analyzing image: failed analyzing image: failed creating container: \"specify container image platform\" requires API version 1.41, but the Docker daemon API version is 1.40", "errorVerbose": "failed creating container: \"specify container image platform\" requires API version 1.41, but the Docker daemon API version is 1.40\nfailed analyzing image\nbitbucket.org/scalock/server/scannercli/scanner.
Generic


In this case, if the error is occurring, it is necessary to check whether the client has implemented Aqua in Dockerless mode or not.


To verify this information, it is necessary to execute the SQL query mentioned below:

SELECT * FROM slk_metadata WHERE key='dockerless_mode';
SQL


Response:

postgres=# SELECT * FROM slk_metadata WHERE key='dockerless_mode';
key                |   value 
--------------------+-------
 dockerless_mode.  |  0
(1 row)
Generic

If the query result is "0" (zero), it means that the user is not using Dockerless mode.


To solve this problem it is necessary to re-implement the Aqua console using the variable below.


AQUA_DOCKERLESS_SCANNING=1
SQL

Additional Resources

N/A

image