BT

Public Docker Image Vulnerability Research Findings Released

| by Hrishikesh Barua Follow 14 Followers on Mar 30, 2017. Estimated reading time: 2 minutes |

A researcher from Federacy released a report analyzing vulnerabilities in Docker images in public repositories. 24% of images were found to have significant vulnerabilities, with Ubuntu based ones having the most and Debian based ones having the least.

The study scanned 91 of the 133 public Docker repositories, each of which had an image tagged ‘latest’ with the underlying image being that of a major Linux distribution and with a working package manager. A modified version of the vuls open source vulnerability scanner was used to scan the images. vuls is written in Go and supports Linux and FreeBSD. The data was analyzed by internal tools that Federacy had built. Since vuls does not support Alpine yet and static binaries, these were excluded from the exercise. The scoring was done according to the CVSS v2 standard.

24% of all images scanned had significant vulnerabilities, with around 11% among them rated high, 13% as moderate and the rest as potentially vulnerable. Linux distributions that were scanned include Ubuntu, Debian and RHEL. Ubuntu based images had the highest number of overall vulnerabilities (27%), while Debian came out as the least vulnerable distribution (8%). However, the base Ubuntu image had no known vulnerabilities, which means that the ones reported were introduced by the image creators as a result of installing other packages and/or configuration changes. Incidentally, Debian is the dominant base distribution (79%) among the official repositories while Ubuntu accounts for just 16%. The RHEL sample size was very small compared to the others (4%).


Image Courtesy : https://www.federacy.com/docker_image_vulnerabilities

The newer releases of both Debian and Ubuntu were found to have fewer issues. One of the possible reasons for this could be that newer distribution releases had fewer packages installed, which translated to a smaller attack surface. A previous similar report had listed 30% high priority vulnerabilities on Docker Hub images.

The most common vulnerability overall, as well as for Ubuntu, was the SSL Death Alert, which can be exploited to cause DoS attacks against software compiled against GnuTLS, OpenSSL and NSS, like nginx. For Debian, the most common was a severe one but unlikely to impact most people due to it involving cache timing attacks and local access to the system.

vuls is not the only scanner available for Docker image scanning. vuls works by querying the package manager for installed packages, versions and changelogs. This is followed by comparing the changelog CVEs against the National Vulnerability Database (NVD). Another scanner is Clair, which is used by the Quay.io image repository as well as by the Kubernetes community for all images maintained by them. There are also commercial vendors like Twistlock that integrate with various cloud platforms.

While the report talks about the risks inherent in images, it does not go into much detail on how to address them. Some of the suggestions include installing package updates in the image build process, automating package updates when it runs, and adding vulnerability analysis to the image build process. Another suggestion is to use Alpine Linux or a similar distribution or build a static binary image.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Is this typo? by Achmad Sandi

"The older releases of both Debian and Ubuntu were found to have fewer issues. One of the possible reasons for this could be that newer distribution releases had fewer packages installed, which translated to a smaller attack surface."

Shouldn't it be:

The "latest" releases of both Debian and Ubuntu were found to have fewer issues. One of the possible reasons for this could be that newer distribution releases had fewer packages installed, which translated to a smaller attack surface.

Re: Is this typo? by Hrishikesh Barua

Thanks for pointing out - you are right. I've corrected it.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

2 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT