Half of all Docker Hub images have at least one critical vulnerability



A new security analysis of the 4 million container images hosted on the Docker Hub repository revealed that more than half contained at least one critical vulnerability. The review also identified thousands of images that contained malware or potentially harmful applications, highlighting the need for organizations to have strict policies and review processes in place for sourcing container images and third-party software components in general from public repositories.

Attacks that exploit the software supply chain are not new, but the growing popularity of DevOps, agile development and microservice-based software architecture powered by container technologies have fueled growth for public registries that host pre-made software components and images. In turn, this has led to attackers trying to exploit these relationships by publishing malicious code on these package repositories either directly or by compromising existing accounts.

In its 2020 State of the Software Supply Chain report, open-source governance company Sonatype reported a 430% year-over-year growth in attacks attempting to infiltrate open-source software projects upstream by exploiting the complex web of dependencies among them. Many such attacks have taken advantage of public package repositories to distribute malware, for example npm for the JavaScript ecosystem or PyPi for the Python developer community. Docker Hub is no exception, even if it’s used to distribute pre-built container images rather than individual software packages.

According to the Sonatype report, Docker Hub saw the addition of 2.2 million container images over the past year and is on track to receive 96 billion image pull requests from developers this year.

Vulnerable Docker images

Container technologies like Docker brought major improvements to the speed with which companies can deploy and scale their applications. For example, pulling a pre-built Docker image containing an instance of MySQL from a public registry like Docker Hub to be used by an application takes seconds compared to manually installing and configuring the database server.

However, when using any third-party package in their own projects, organizations must always be aware of the risk of downloading and running outdated versions with known vulnerabilities. Docker containers are no different in this respect and in fact the risk is higher because they include full software stacks that have an OS layer and application layer and not a single package.

Copyright © 2020 IDG Communications, Inc.


Source link