Summary
Affected Grocy webserver images were bundled with a hard-coded, self-signed TLS certificate and key for use serving web traffic on hostname localhost.
Actions
If you believe that your containerized Grocy webserver was installed from one of the affected grocy-docker images as published on Docker Hub and served HTTPS traffic using one of the affected certificates, then please confirm the certificate details and upgrade the containers if necessary.
If your users accepted self-signed certificates from affected Grocy webserver containers as trusted, please ensure that their browser no longer includes those certificates/sites in their trust lists.
Instructions for inspecting and removal of manually-trusted certificates/site from some popular web browsers are listed below:
Impact
Although web browsers don't trust self-signed certificates by default, users may have clicked to ignore the warnings about offered certificates, accepting them as valid and affecting their browser's future trust behaviour.
In this case, the private keys for the affected certificates were included within Grocy webserver container images -- content that was available to the public -- meaning that use of these certificates did not provide reliable privacy guarantees.
Affected versions of the Grocy webserver container have been removed from Docker Hub.
Patches
Grocy container images published since 2022-11-13 no longer contain hard-coded TLS certificates and keys.
For sites that would like to continue to use self-signed certificates, please see the Containerfile-frontend-tls-selfsigned container build file which includes self-signed TLS certificate and key generation.
Workarounds
If you are unable to upgrade to a patched container image and would like to increase privacy when your Grocy instance is accessed over HTTPS, we recommend that you place an additional reverse proxy in front of Grocy, configure a valid site-specific TLS certificate for that proxy, and use other mechanisms to protect the network segment between the proxy and Grocy.
Summary
Affected Grocy webserver images were bundled with a hard-coded, self-signed TLS certificate and key for use serving web traffic on hostname
localhost.Actions
If you believe that your containerized Grocy webserver was installed from one of the affected
grocy-dockerimages as published on Docker Hub and served HTTPS traffic using one of the affected certificates, then please confirm the certificate details and upgrade the containers if necessary.If your users accepted self-signed certificates from affected Grocy webserver containers as trusted, please ensure that their browser no longer includes those certificates/sites in their trust lists.
Instructions for inspecting and removal of manually-trusted certificates/site from some popular web browsers are listed below:
Impact
Although web browsers don't trust self-signed certificates by default, users may have clicked to ignore the warnings about offered certificates, accepting them as valid and affecting their browser's future trust behaviour.
In this case, the private keys for the affected certificates were included within Grocy webserver container images -- content that was available to the public -- meaning that use of these certificates did not provide reliable privacy guarantees.
Affected versions of the Grocy webserver container have been removed from Docker Hub.
Patches
Grocy container images published since 2022-11-13 no longer contain hard-coded TLS certificates and keys.
For sites that would like to continue to use self-signed certificates, please see the
Containerfile-frontend-tls-selfsignedcontainer build file which includes self-signed TLS certificate and key generation.Workarounds
If you are unable to upgrade to a patched container image and would like to increase privacy when your Grocy instance is accessed over HTTPS, we recommend that you place an additional reverse proxy in front of Grocy, configure a valid site-specific TLS certificate for that proxy, and use other mechanisms to protect the network segment between the proxy and Grocy.