Summary

On December 23, 2024, an unauthorized image of Kong Ingress Controller v.3.4.0 (hash: sha256:a00659df0771d076fc9d0baf1f2f45e81ec9f13179f499d4cd940f57afc75d43) was uploaded to DockerHub containing code that enabled cryptojacking in the form of calls to a crypto mining site pool.supportxmr.com.

On January 2, 2025, soon after becoming aware of the issue, we deleted version 3.4.0 and associated tags from DockerHub, rotated all affected access keys to DockerHub, and later on January 2, 2025 released version 3.4.1 which removed the unauthorized code.
We have no evidence to date to suggest that any other images (before or after the hash specified above) were affected.

Action Required

If you pulled Kong Ingress Controller v3.4.0 between December 22, 2024 and January 3, 2025, please remove that image from any internal registries & clusters and ensure that the remediated image is pulled (either v3.4.1, or the clean, re-tagged v3.4 versions below) and run instead.

The fixed image hashes for v3.4.0 are:
AMD64: sha256:b358296fa6a1458c977c0513ff918e80b708fa9d7721f9d438f3dfce24f60f4f
ARM64: sha256:e0125aa85a4c9eef7822ba5234e90958c71e1d29474d6247adc3e7e21327e8ee