Impact

When creating a new container based on one of the Docker images listed below, the same secret key was being used by default. If the users didn't set a custom value via environment variables in the .env file, that key was shared across different CKAN instances, making it easy to forge authentication requests.

The affected images are:

• ckan/ckan-docker (ckan/ckan-base images)
• okfn/docker-ckan (openknowledge/ckan-base and openknowledge/ckan-dev images)
• keitaroinc/docker-ckan (keitaro/ckan images)

Note that the legacy images (ckan/ckan) located in the main CKAN repo are not affected by this issue.
Again, if you were overriding the default secret key in your own .env file you are not affected by this issue.

Patches

All the above images have been patched to generate fresh keys each time a container is created, so please pull the latest version of the relevant image.
Note: As a new secret key will be used, this will invalidate all existing session (forcing all users to login again) as well as all existing API tokens, so please plan the update in advance to give notice and minimize disruption.
As with the rest of secrets and passwords you should persist the session secret key using a method that suits you (env vars, mounted ini file, etc)

References

• API tokens configuration reference
• Example env vars that can be used to set your own secret values