In-brief: A survey out from the firm Banyan finds that official and general repositories on Docker Hub are rife with serious and exploitable software vulnerabilities, including Heartbleed, Shellshock and Poodle.
A survey out from the firm Banyan finds that code repositories on Docker Hub are rife with serious and exploitable software vulnerabilities, including Heartbleed, Shellshock and Poodle.
More than 30 percent of official repositories on Docker Hub contain software images that were found to be “highly susceptible to a variety of security attacks,” according to a report by Jayanth Gummaraju, Tarun Desikan and Yoshio Turner of the firm Banyan. The report is just the latest to warn of the lingering effects of even high-profile flaws like Heartbleed, which can lurk in shared and open source code repositories.
Docker is an open platform that application developers use to develop and run distributed applications. Docker Hub is a cloud-based service for sharing application code. Docker hosts around 75 official repositories on behalf of software vendors and open source organizations including Canonical (Ubuntu Linux), Debian, Redhat and so on. It is the home of an even larger number of “general repositories” maintained by individuals or small software development organizations – around 95,000 in all, containing hundreds of thousands of unique images.
For their study, the Banyan researchers analyzed all of the official code repositories on Docker and a sampling of 1,700 general repositories. Their findings suggest that both official and general repositories frequently contain serious, exploitable and known vulnerabilities for which a patch is available.
More than a third of all official code images studied by the researchers have high priority vulnerabilities and close to two-thirds have high or medium priority vulnerabilities, they found.
High-profile OpenSSL vulnerabilities like Heartbleed and Poodle were present in close to 10% of official Docker Hub images, months after they were revealed.
“These statistics are especially troublesome because these images are also some of the most downloaded images (several of them have hundreds of thousands of downloads),” they wrote.
While some of the repositories studied may be abandoned (or end of life) code, the pattern of vulnerabilities extended even to recently submitted code. For example, when the researchers looked just at Docker Hub images created in 2015, the fraction of images with high severity vulnerabilities was still over a third, while close to three quarters contained high or medium vulnerabilities, the found.
Images that are marked as the “latest” submitted do better – just 23% of those have high severity vulnerabilities and 47% have high or medium severity vulnerabilities. That suggests Docker Hub developers are keeping their newest images up-to-date, but ignoring older code images.
Unsurprisingly, the percent of general images with vulnerabilities was higher than official images. In Banyan’s survey, almost 40% of general images have high priority vulnerabilities. Even limiting the survey to images created in 2015 or marked with the “latest” tag, the percentage of vulnerable images hovers between 30-40%, the researchers wrote. That number rises to 70% of images when medium priority vulnerabilities are included.