A researcher from Federacy released a report analyzing vulnerabilities in Docker images in public repositories. 24% of images were found to have significant vulnerabilities, with Ubuntu based ones having the most and Debian based ones having the least.
The study scanned 91 of the 133 public Docker repositories, each of which had an image tagged ‘latest’ with the underlying image being that of a major Linux distribution and with a working package manager. A modified version of the vuls open source vulnerability scanner was used to scan the images. vuls is written in Go and supports Linux and FreeBSD. The data was analyzed by internal tools that Federacy had built. Since vuls does not support Alpine yet and static binaries, these were excluded from the exercise. The scoring was done according to the CVSS v2 standard.
24% of all images scanned had significant vulnerabilities, with around 11% among them rated high, 13% as moderate and the rest as potentially vulnerable. Linux distributions that were scanned include Ubuntu, Debian and RHEL. Ubuntu based images had the highest number of overall vulnerabilities (27%), while Debian came out as the least vulnerable distribution (8%). However, the base Ubuntu image had no known vulnerabilities, which means that the ones reported were introduced by the image creators as a result of installing other packages and/or configuration changes. Incidentally, Debian is the dominant base distribution (79%) among the official repositories while Ubuntu accounts for just 16%. The RHEL sample size was very small compared to the others (4%).
Image Courtesy : https://www.federacy.com/docker_image_vulnerabilities
The newer releases of both Debian and Ubuntu were found to have fewer issues. One of the possible reasons for this could be that newer distribution releases had fewer packages installed, which translated to a smaller attack surface. A previous similar report had listed 30% high priority vulnerabilities on Docker Hub images.
The most common vulnerability overall, as well as for Ubuntu, was the SSL Death Alert, which can be exploited to cause DoS attacks against software compiled against GnuTLS, OpenSSL and NSS, like nginx. For Debian, the most common was a severe one but unlikely to impact most people due to it involving cache timing attacks and local access to the system.
vuls is not the only scanner available for Docker image scanning. vuls works by querying the package manager for installed packages, versions and changelogs. This is followed by comparing the changelog CVEs against the National Vulnerability Database (NVD). Another scanner is Clair, which is used by the Quay.io image repository as well as by the Kubernetes community for all images maintained by them. There are also commercial vendors like Twistlock that integrate with various cloud platforms.
While the report talks about the risks inherent in images, it does not go into much detail on how to address them. Some of the suggestions include installing package updates in the image build process, automating package updates when it runs, and adding vulnerability analysis to the image build process. Another suggestion is to use Alpine Linux or a similar distribution or build a static binary image.