https://vulnerablecontainers.org/ James Sanders provides an overview: Following the publication of CVE-2019-5021—an issue relating to the use of a blank (null) password for root accounts in Alpine Linux Docker images—security researchers have turned their attention toward Docker in earnest, uncovering similar issues of unprotected root accounts in other containers. Because Docker containers are essentially inert when not in use, a systematic evaluation of what CVEs are present in the most popular containers is a complex task. Jerry Gamblin, principal security engineer at Kenna Security, created VulnerableContainers.org to evaluate the security of the 1,000 most popular containers based on downloads, and scans them for vulnerabilities. Using the open-source Trivy security tool, and a virtual machine on AWS, Gamblin's script evaluates Docker images in execution to determine if vulnerabilities exist, which are then measured for severity according to Kenna Security's proprietary Risk Scoring methodology. The results, frankly, are dramatic, with even relatively recently-updated containers having numerous vulnerabilities. Containers distributed by CircleCI, including Elixr, Golang, and OpenJDK, have hundreds of open vulnerabilities, while Ubuntu containers maintained by shared web host 1&1 Internet are vulnerable to an IMAP vulnerability (CVE-2018-19518). These containers were updated this month. Microsoft's containers for ASP.NET Core and .NET have hundreds each, with PowerShell containing 30. OpenShift's Origin-Release container, updated this week, contains over 1,000 known CVEs, with the most severe (CVE-2016-2776) given the highest possible score by Kenna Security. Origin-Base, also updated this week, contains 420 known CVEs, with the most severe (CVE-2014-6278) receiving a score of 900. Docker enjoys a great deal of popularity for HomeLab enthusiasts, using prebuilt images to control Internet of Things (IoT) devices in their home. Home Assistant, which was last updated on June 25, has 721 open vulnerabilities with the most critical scored 760—according to Gamblin, scores above 660 are considered high risk and should be immediately remediated. Home Assistant has nearly 80 million downloads. Likewise, several images maintained by LinuxServer.io—have dozens of open vulnerabilities, with the most severe and commonly recurring being a medium-risk integer overflow in SQLite (CVE-2018-20346). The official Docker image of Plex Media Server, likewise, contains 79 known CVEs. Notably, HashiCorp's popular images are rather commendable—Packer and Terraform contain only two and one vulnerability each; both are low-severity and are easily patchable in a future update—the vulnerabilities relate to libcurl and OpenSSL, respectively. |
Author: <see article>
These links serve as tributes to those who have written them. Please find contributor details in the links provided Archives
April 2024
Categories |