Source in German: https://heise.de/-4785175
Link to study (English): https://arxiv.org/pdf/2006.02932.pdf
Translation:
Study: 80% of certified docker images have severe security vulnerabilities
A detailed investigation of 2500 docker images provided on Docker Hub revealed some hair-raising safety deficiencies. Of all things, the certified images proved to be the worst. A study by Norwegian scientists showed that 82 percent of them contained at least one serious or even critical vulnerability.
Most exposed are the so-called community images; 8 out of 10 entries in the top 10 most vulnerable images belong to this category. The researchers found no security problems in only 18% of all images.
The scientists used the Anchore Engine, an open source scanner specialized in containers, for their study. They supplemented its results with their own scripts for analyzing docker images, which they make available to the general public on Github. They found most security problems in Python packages and the Javascript lodash library.
Quality in stages
Docker is a Free Software to isolate applications in a virtual container. The Docker Hub online service is home to around 3.5 million Docker images, making it the largest repository for containers. These are divided into four categories: Community, Verified, Certified and Official. Anyone can provide community images; for Verified, the creator must be registered with the Docker Technology Partner Program.
Certified means that the images take into account certain best practices and undergo automated baseline tests. Only for the Status Official a team of dockers explicitly checks the images for security problems. This apparently pays off, because the researchers found the fewest serious gaps in this category. But even there, the figure was still 46 percent. This strongly suggests that security-conscious docker users should harden their installations afterwards or at least seal them off with strict access restrictions.
Translated with www.DeepL.com/Translator (free version)
That’s exactly the reason why in my company we dropped the official tomcat container to use the official alpine + updates + download & install latest tomcat manually.
0 known system vulnerabilities in anchore engine since then and working perfectly.
sorry. I decided against opening a pdf.
Read story and felt it downright scary given how much it is used.
Yeah not surprising at all. Debian’s got like a dozen or so open CVE’s right now.
While this is not good, and I do not want to minimize the issue, it’s important to understand that there’s a difference between some package present in an image having a vulnerability, and there existing a code path that could make use of it when running the actual app container. I’d wager that the vast majority of these are not really exploitable. It is a naive security scan that simply checks for outdated versions of packages.
This also illustrates how the use of slim images, or even better, binary-only images when possible can help avoid these kinds of hidden vulnerabilities.
This meme comes to mind when I think of all the python-based containers I have on my home server.
[https://i.kym-cdn.com/entries/icons/facebook/000/030/710/dd0.jpg](https://i.kym-cdn.com/entries/icons/facebook/000/030/710/dd0.jpg)
I wonder how it compares against non-dockerized releases. I would expect that they have fewer vulnerabilities since they wouldn’t include all the dependencies.
What are the normal practice(s)/checklist(s) to reduce vulnerabilities when using or building docker app?
“scientists”