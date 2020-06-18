Researchers have founded ‘high’ security vulnerabilities in Docker images

Images in the Python and JavaScript Lodash libraries were probably the most commonly affected

With developers now depending on containers, many applications ‘in the wild’ could be vulnerable

One of the many attractive elements of the Docker containerization framework could be the availability in the public domain of the many 1000s of ready-rolled Docker containers in the Docker Hub.

Unfortunately, a team of researchers from the Norwegian University of Science and Technology has found a significant number of security vulnerabilities in the Docker pictures it tested.

Docker images can be regarded as ready-made gobbets of computer code which are capable of running services or applications either alone, or in virtualized networks collectively, with each image containing the dependencies, libraries, as well as other periphery required by the code.

The standalone images tend to be used in the style of blocks, whereby entire, complex services can be quickly spun up and hosted on platform-agnostic hosts, through the use of carefully-chosen pictures, which need a minimum of tweaking to make them fit for purpose. The starting point for many projects is the Docker Hub — which remains the traditional first point of contact for many developers hoping to find that someone has covered the floor they need to before them, hence reducing over all development times by order of magnitude.

However, the Norwegian team unearthed that even in the Certified channel (containing those Docker pictures that have been which may have encountered a sizable level of scrutiny), pictures contained security vulnerabilities referred to as “high.”

Images in the Python and JavaScript Lodash libraries were the most commonly affected in every the Docker Hub channels, even the Official channel images, which are considered to be base level, and contain virtualized operating system level code sets.

Perhaps unsurprisingly, the Community Docker Hub channel, images by which receives little oversight besides occasional and unregimented peer review, was found to be the worst security culprit — and a significant proportion of those pictures were found to have maybe not been altered or updated in over 400 days.

Given the time constraints and budgetary pressure that DevOps teams often operate under, it appears highly likely that many applications in production will contain suspect Docker pictures taken more-or-less verbatim from the hub.

While microservice-based applications offer a fast, efficient, and malleable method to spin up highly complex configurations, it would be wrong to assume any container’s security is of the best quality.

Although freely available and widely and openly distributed, the adage of caveat emptor (buyer beware) holds good, even yet in the “free software” arena. While no malicious code examples were flagged by the Norwegian trio of testers, the small sample they took from the may thousands of available pictures wouldn’t manage to rule that possibility out.

Speaking to The Register, a spokesperson from Docker said: