Following the publication of CVE-2019-5021—an issue relating to the use of a blank (null) password for root accounts in Alpine Linux Docker images—security researchers have turned their attention toward Docker in earnest, uncovering similar issues of unprotected root accounts in other containers. Because Docker containers are essentially inert when not in use, a systematic evaluation of what CVEs are present in the most popular containers is a complex task.
Jerry Gamblin, principal security engineer at Kenna Security, created VulnerableContainers.org to evaluate the security of the 1,000 most popular containers based on downloads, and scans them for vulnerabilities. Using the open-source Trivy security tool, and a virtual machine on AWS, Gamblin’s script evaluates Docker images in execution to determine if vulnerabilities exist, which are then measured for severity according to Kenna Security’s proprietary Risk Scoring methodology.
Official and popular Docker containers are filled with vulnerabilities
The results, frankly, are dramatic, with even relatively recently-updated containers having numerous vulnerabilities.
Containers distributed by CircleCI, including Elixr, Golang, and OpenJDK, have hundreds of open vulnerabilities, while Ubuntu containers maintained by shared web host 1&1 Internet are vulnerable to an IMAP vulnerability (CVE-2018-19518). These containers were updated this month.
SEE: Server virtualization: Best (and worst) practices (free PDF) (TechRepublic)
Microsoft’s containers for ASP.NET Core and .NET have hundreds each, with PowerShell containing 30. OpenShift’s Origin-Release container, updated this week, contains over 1,000 known CVEs, with the most severe (CVE-2016-2776) given the highest possible score by Kenna Security. Origin-Base, also updated this week, contains 420 known CVEs, with the most severe (CVE-2014-6278) receiving a score of 900.
Docker enjoys a great deal of popularity for HomeLab enthusiasts, using prebuilt images to control Internet of Things (IoT) devices in their home. Home Assistant, which was last updated on June 25, has 721 open vulnerabilities with the most critical scored 760—according to Gamblin, scores above 660 are considered high risk and should be immediately remediated. Home Assistant has nearly 80 million downloads.
Likewise, several images maintained by LinuxServer.io—have dozens of open vulnerabilities, with the most severe and commonly recurring being a medium-risk integer overflow in SQLite (CVE-2018-20346). The official Docker image of Plex Media Server, likewise, contains 79 known CVEs.
Notably, HashiCorp’s popular images are rather commendable—Packer and Terraform contain only two and one vulnerability each; both are low-severity and are easily patchable in a future update—the vulnerabilities relate to libcurl and OpenSSL, respectively.
Gamblin notes in a blog post that “Over 60 percent of the top Docker files held a vulnerability that had a Kenna Risk Score above 330; and over 20 percent of the files contained at least one vulnerability that would be considered high risk under Kenna’s scoring model,” adding that the average (mean) number of CVEs per container is 176, with the median at 37.
Following some work on refactoring the code—including adding a caching layer to improve performance for successive runs—Gamblin plans to release the code used for testing.
For more on security, learn why half of enterprises struggle to keep pace with cloud security, and how fraudulent domain names are powering phishing attacks.