Security News > 2023 > February > Researchers find hidden vulnerabilities in hundreds of Docker containers

Researchers find hidden vulnerabilities in hundreds of Docker containers
2023-02-23 11:00

Rezilion uncovered the presence of hundreds of Docker container images containing vulnerabilities that are not detected by most standard vulnerability scanners and SCA tools.

The research revealed numerous high-severity/critical vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively.

Some of the hidden vulnerabilities are known to be actively exploited in the wild and are part of the CISA known exploited vulnerabilities catalog, including CVE-2021-42013, CVE-2021-41773, CVE-2019-17558.

These containers either already contain hidden vulnerabilities or are prone to have hidden vulnerabilities if a vulnerability in one of these components is identified.

The researchers identified four different scenarios in which software is deployed without interaction with package managers, such as the application itself, runtimes required for the operation of the application, dependencies as necessary for the application to work, and dependencies required for the deployment/build process of the application that are not deleted at the end of the container image build process and shows how hidden vulnerabilities can find their way to the container images.

"It's important to note that as long as vulnerability scanners and SCA tools fail to accommodate for these situations, any container image that installs packages or executables in this manner may eventually contain 'hidden' vulnerabilities if any of these components become vulnerable."


News URL

https://www.helpnetsecurity.com/2023/02/23/hidden-vulnerabilities-docker-containers/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-10-07 CVE-2021-42013 It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient.
network
low complexity
apache fedoraproject oracle netapp
critical
9.8
2021-10-05 CVE-2021-41773 Path Traversal vulnerability in multiple products
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49.
network
low complexity
apache fedoraproject oracle netapp CWE-22
7.5
2019-12-30 CVE-2019-17558 Injection vulnerability in multiple products
Apache Solr 5.0.0 to Apache Solr 8.3.1 are vulnerable to a Remote Code Execution through the VelocityResponseWriter.
network
high complexity
apache oracle CWE-74
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Docker 24 0 19 36 20 75