Back in 2015, security biz BanyanOps found that about 40 per cent of Docker images distributed through Docker Hub had high-priority vulnerabilities. That was when the Docker Hub repository stored about 95,000 Docker images.
Docker images are sets of instructions for creating a functioning Docker container. Instantiating a Docker container with an image involves pulling together resources, such as an operating system, code libraries, and application files, to present them as a containerized application.
Docker Hub today has grown to about 3.5 million Docker images. Its security risks appear to have grown too.
A trio of boffins from the Norwegian University of Science and Technology (NTNU) – Katrine Wist, Malene Helsem, and Danilo Gligoroski – put 2,500 Docker images from Docker Hub to the test and found most of them wanting.
In a research paper [PDF] distributed via ArXiv, the computer security researchers describe how they used the open-source Anchore Engine security scanner and their own scripts to analyze a sample set of 2,500 Docker images.
They found about 17.8 per cent (430) of the Docker images contained no known vulnerabilities, or 21.6 per cent (533) if you ignore negligible vulnerabilities.
Docker Hub classifies images in four categories: Community, Verified, Certified, and Official. Community images can come from anyone – all you need is a DockerID. Verified images come from entities enrolled in Docker Technology Partner program, which verifies that publisher is the source of the content.
Certified images receive even greater scrutiny – intended for enterprise customers, they're supposed to follow recommended best practices, pass a functional API test suite, and complete a vulnerability scanning assessment. And Official images, which provide base operating system repositories and similar resources, get vetted by a dedicated team at Docker.
Docker disguises itself as a development pipeline service as it stalks the IT world for its elusive target – profitREAD MORE
Perhaps unsurprisingly, the researchers found 8 of the 10 of the most vulnerable images were Community images. The worst offender is the
jackson-databind-2.4.0 package, with 710 critical vulnerabilities. In second place is
Python-2.7.5 with 520 critical vulnerabilities.
But Community images were not the worst on average. That dishonor went to Certified images.
"To our surprise, the Certified images are the most vulnerable when considering the median value," the paper stated. "They had the most high-rated vulnerabilities as well as the most vulnerabilities rated as low. As many as 82 per cent of certified images contain at least either one high or critical vulnerability."
Official images were the most secure, but that's not saying much: about 45 per cent of them had at least one vulnerability rated critical or high. Among Community and Verified images, those figures were 68 per cent and 57 per cent, respectively.
Docker Hub images could also use a bit of pruning or revitalization: about 30 per cent of them haven't been updated in more than 400 days.
The Register asked Docker whether it could explain why Certified images fared so poorly in this study. A spokesperson offered a general answer that didn't really address that question.
"Docker is aware of the Norwegian University of Science and Technology (NTNU) analysis describing potential vulnerabilities of images on Docker Hub and it is consistent with other analysis before," the spinner said in an email. "We are currently reviewing the report to validate its claims and will continue to monitor the situation and communicate further to the Docker community as appropriate.
"Docker takes security seriously and actively works with Publishers to provide them tools to secure their images and encourage them to keep their software on Docker Hub up to date." ®