Report: Docker Hub Container Vulnerabilities High

Prevasio, a provider of a cloud service for scanning container images, this week released a report based on a scan of 4 million public container images found in Docker Hub that concludes just over half the images (51%) were rife with critical vulnerabilities.

Only 13% of container scans resulted in what Prevasio deemed to be high vulnerabilities, while 4% were considered what the company concluded were moderate vulnerabilities.

In terms of containers that had malicious or potentially harmful container images, the report found 6,433, representing 0.16% of all publicly available images at Docker Hub. Those images had been compromised by various cryptominers, hacking tools/pen-testing frameworks and backdoor trojans.

There were also more than 400 examples from nearly 600,000 pulls of weaponized Windows malware crossing over into the world of Linux. That crossover is enabled by cross-platform code that is being employed within containers.

Dubbed Operation Red Kangaroo, the Prevasio research is based on scans conducted by running Prevasio Analyzer, a behavioral analytics tool designed specifically for containers, for one month using 800 machines running in parallel. Prevasio ran each container it scanned within that dedicated virtual environment for vulnerabilities.

Out of the entire scope of publicly available images, 10% of them could not be analyzed because of missing tags that identify an image, along with its name. Those misconfigured images cannot be downloaded and analyzed. Nearly 1% of all images are built for Windows only, which were also excluded from the analysis.

Prevasio CTO Sergei Shevchenko says the report makes it clear that developers should not assume container images on public registries are secure enough to reuse without first being scanned for malware. While a large percentage of the malware discovered by Prevasio was cryptominers (44%)—which many developers view as being comparatively innocuous—Shevchenko notes that level of infestation indicates that containers on public registries are susceptible to other forms of more malicious malware.

As such, organizations that now employing containers from public registries to build mission-critical applications to drive digital business transformation initiatives should proceed with care, he advises, noting public container registries are the security equivalent of the Wild West.

It’s not clear to what degree security concerns might impact the rate at which organizations are willing to employ containers to build cloud-native applications based on microservices. However, Docker Inc. is making a concerted effort to make sure containers on its registry are secure.

The primary issue, of course, is not the containers themselves but rather the software that is embedded within them. Containers provide a way to package and distribute software more efficiently, which includes any malware added either purposefully or inadvertently. The challenge facing IT teams today is implementing a set of best DevSecOps processes for containerized applications that discovers that malware long before it ever makes it into a production environment.

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Mike Vizard has 1614 posts and counting. See all posts by Mike Vizard