Docker Hub users are playing Russian Roulette with Heartbleed, Poodle and Shellshock, according to an analysis of a bunch of images by newly-launched outfit BanyanOps.
The outfit is using the research to bring itself out of stealth-mode, apparently: the company only Tweeted “Hello World” on May 1.
Its claim, blogged here, is that more than 30 per cent of official Docker repos have high-risk images that include the aforementioned vulnerabilities, and for “non-official” images published by users but “not explicitly verified”, that figure is as high as 40 per cent.
The figure strikes The Register as more depressing than surprising, since the convenience of Docker – pull an image from the repository and fire it up with minimal fuss – is broken if you have to parse every image before using it.
BanyanOps' Jayanth Gummaraju, Tarun Desikan and Yoshio Turner – whose backgrounds variously include HP, VMware, the OpenStack packages ElasticSwitch and Gatekeeper – write that they analysed around 960 images on Docker Hub, 73 of which were tagged “latest”.
Those images aren't from nobodies: they include names like Canonical, Debian and RedHat, although the analysis doesn't associated vulnerabilities with particular vendors.
Of the images created this year, BanyanOps claims, 75 per cent have vulnerabilities that could be assessed as medium or high impact, and even with the analysis constrained only to the 73 “latest” images, they reckon 47 per cent have “high priority” bugs and 23 per cent have “medium priority” bugs.
The three most common buggy packages in the images they analysed were Mercurial, the libtasn1-3 ASN library, and our old friend OpenSSL.
“Some images also contain bash ShellShock (e.g., Centos 5.11), which was discovered over 7 months ago,” the post states. “Even if organisations don’t use some of these packages, not explicitly removing them from containers could make them vulnerable to malicious attacks.” ®