DevSecOps, Vulnerability Management

Critical vulnerabilities hidden in hundreds of popular open source containers

The Docker website is displayed on a computer.

Researchers found numerous critical- and high-severity vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively and not detected by most vulnerability scanners and software composition analysis (SCA) tools.  

Rezilion's new research, "Hiding in Plain Sight: Hidden Vulnerabilities in Popular Open Source Containers," identified over 100,000 Dockerfiles in Docker containers that either already contain or are prone to hidden vulnerabilities. Of note, some of them are known to have been exploited in the wild as part of CISA’s Known Exploited vulnerabilities catalog, including CVE-2021-42013, CVE-2021-40438, and CVE-2021-41773.  

Most standard vulnerability scanners and SCA tools heavily rely on package managers to know which packages exist and performing analysis accordingly. However, Docker containers are one of the places where software installation bypasses package managers, making it difficult for many scanners and tools to detect vulnerable packages, said Yotam Perkal, director of vulnerability research at Rezilion.

Perkal did not list all the specific tools that fail at this task, but told SC Media that almost every leading commercial vulnerability scanner and SCA tool — including DockerHub's own vulnerability scans — deals with the same challenge.  

Docker spokesperson David Oro told SC Media that the company is aware of the risk and continues working to address it.  

“Malicious actors taking advantage of public resources for the developer community is a big problem that software developers need to be aware of. It happens in GitHub repositories, npm packages, and even in Chrome extensions. Docker Hub, an industry standard of container images that gets billions of pulls each weekis no exception,” said Oro in an email. “We hate seeing bad actors taking advantage of it and have been working to address it directly.” 

According to Oro, Docker’s mitigation efforts include surfacing software bill of materials and integrating Atomist into the platform to better inform developers about the software components and known vulnerabilities within the images. 

Although the research is focused on Docker containers, Perkal highlighted that the hidden vulnerability phenomenon can apply to any type of compute with the deployment method bypassing the relevant package manager.  

"As long as vulnerability scanners and SCA tools fail to accommodate these situations, any container image that deploys packages or executables in this manner may eventually contain hidden vulnerabilities if any of these components become vulnerable," Perkal said.  

To mitigate the security risk, Perkal said developers should be aware of the issue and try not to circumvent the relevant package manager when installing the required software components.  

He also urged security vendors and open source projects to invest time and resources to close the detection gaps and minimize the risk, saying such gaps “exist across all examined tools.” 

An initiative led by the Open Source Security Foundation called Project Alpha-Omega is also working on building and refining tools for the open source community to help developers detect a wider range of critical vulnerabilities with minimal false positives. 

Menghan Xiao

Menghan Xiao is a cybersecurity reporter at SC Media, covering software supply chain security, workforce/business, and threat intelligence. Before SC Media, Xiao studied journalism at Northwestern University, where she received a merit-based scholarship from Medill and Jack Modzelewski Scholarship Fund.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.