Unpatched Vulnerabilities Common on Docker Hub Images

A survey of Docker repositories found that critical vulnerabilities are common in both official and general repositories.
A survey of Docker repositories found that critical vulnerabilities are common in both official and general repositories.

In-brief:  A survey out from the firm Banyan finds that official and general repositories on Docker Hub are rife with serious and exploitable software vulnerabilities, including Heartbleed, Shellshock and Poodle.

 

A survey out from the firm Banyan finds that code repositories on Docker Hub are rife with serious and exploitable software vulnerabilities, including Heartbleed, Shellshock and Poodle.

More than 30 percent of official repositories on Docker Hub contain software images that were found to be “highly susceptible to a variety of security attacks,” according to a report by Jayanth Gummaraju, Tarun Desikan and Yoshio Turner of the firm Banyan. The report is just the latest to warn of the lingering effects of even high-profile flaws like Heartbleed, which can lurk in shared and open source code repositories.

Docker is an open platform that application developers use to develop and run distributed applications. Docker Hub is a cloud-based service for sharing application code. Docker hosts around 75 official repositories on behalf of software vendors and open source organizations including Canonical (Ubuntu Linux), Debian, Redhat and so on. It is the home of an even larger number of “general repositories” maintained by individuals or small software development organizations – around 95,000 in all, containing hundreds of thousands of unique images.

For their study, the Banyan researchers analyzed all of the official code repositories on Docker and a sampling of 1,700 general repositories. Their findings suggest that both official and general repositories frequently contain serious, exploitable and known vulnerabilities for which a patch is available.

More than a third of all official code images studied by the researchers have high priority vulnerabilities and close to two-thirds have high or medium priority vulnerabilities, they found.

[Read more Security Ledger coverage of open source security.]

High-profile OpenSSL vulnerabilities like Heartbleed and Poodle were present in close to 10% of official Docker Hub images, months after they were revealed.

 

“These statistics are especially troublesome because these images are also some of the most downloaded images (several of them have hundreds of thousands of downloads),” they wrote.

Official Images with Vulnerabilities (Image courtesy of Banyan.)
Official Images with Vulnerabilities (Image courtesy of Banyan.)

While some of the repositories studied may be abandoned (or end of life) code, the pattern of vulnerabilities extended even to recently submitted code. For example, when the researchers looked just at Docker Hub images created in 2015, the fraction of images with high severity vulnerabilities was still over a third, while close to three quarters contained high or medium vulnerabilities, the found.

Images that are marked as the “latest” submitted do better – just 23% of those have high severity vulnerabilities and 47% have high or medium severity vulnerabilities. That suggests Docker Hub developers are keeping their newest images up-to-date, but ignoring older code images.

Unsurprisingly, the percent of general images with vulnerabilities was higher than official images. In Banyan’s survey, almost 40% of general images have high priority vulnerabilities. Even limiting the survey to images created in 2015 or marked with the “latest” tag, the percentage of vulnerable images hovers between 30-40%, the researchers wrote. That number rises to 70% of images when medium priority vulnerabilities are included.

 

2 Comments

  1. Some Researcher

    I’m not sure I really get what the story is, here. Surely most of, for instance, the code repos on github and googlecode and a bunch of other repo-holding sites also are bristling with vulnerabilities. For that matter, most software is.

    Pointing out the obvious seems like a PR move — or at least a project better attacked academically by some student at university. And what really did they do to test it, anyway? Run a software suite? Fuzzer? What’s the point?

    “More than a third of all official code images studied by the researchers have high priority vulnerabilities and close to two-thirds have high or medium priority vulnerabilities, they found.”

    I audit too, regularly, but not typically en-masse like this (best suited to automated tools)… But was this ‘overview’ the point or was finding useful bugs the point? Did they disclose these privately to the coders responsible? If not, why not? What else might they be doing with the information? I’m not saying they’re doing something nefarious but it’d be nice to have some reassurance as to their particular code of ethics.

    If they do choose to responsibly disclose to the authors of the vuln codesets, how long they wait before they disclose? How long after they privately disclose until they call open season?

    Just curious.

    • This report seems like a good reminder to me to not trust any old image on Docker Hub, even those with the best of intentions, without a closer look. No, that shouldn’t be entirely new news to anyone, but a good reminder nonetheless about the scale of the problem.