Docker Hub harboring harm — research

Researchers have found dozens of security vulnerabilites in thousands of Docker images.
17 June 2020

Containers’ promise compromised by security concerns? Source: Shutterstock

  • Researchers have founded ‘high’ security vulnerabilities in Docker images
  • Images in the Python and JavaScript Lodash libraries were the most commonly affected
  • With developers now relying on containers, many applications ‘in the wild’ could be vulnerable

One of the many attractive elements of the Docker containerization framework is the availability in the public domain of the many thousands of ready-rolled Docker containers in the Docker Hub.

Unfortunately, a team of researchers from the Norwegian University of Science and Technology has found a significant number of security vulnerabilities in the Docker images it tested.

Docker images can be thought of as ready-made gobbets of computer code that are capable of running services or applications either alone, or in virtualized networks with one another, with each image containing the dependencies, libraries, and other periphery required by the code.

The standalone images are often used in the style of building blocks, whereby entire, complex services can be quickly spun up and hosted on platform-agnostic hosts, by using carefully-chosen images, which require a minimum of tweaking to make them fit for purpose. The starting point for many projects is the Docker Hub — which remains the traditional first point of contact for many developers hoping to find that someone has covered the ground they need to before them, thus reducing overall development times by order of magnitude.

However, the Norwegian team found that even in the Certified channel (containing those Docker images that have been proven to have undergone a sizable amount of scrutiny), images contained security vulnerabilities described as “high.”

Images in the Python and JavaScript Lodash libraries were the most commonly affected in all the Docker Hub channels, even the Official channel images, which are considered to be base level, and contain virtualized operating system level code sets.

Perhaps unsurprisingly, the Community Docker Hub channel, images in which receives little oversight other than occasional and unregimented peer review, was found to be the worst security culprit — and a significant proportion of those images were found to have not been altered or updated in over 400 days.

Given the time constraints and budgetary pressure that DevOps teams often operate under, it seems highly likely that many applications in production will contain suspect Docker images taken more-or-less verbatim from the hub.

While microservice-based applications offer a fast, efficient, and malleable way to spin up highly complex configurations, it would be wrong to assume any container’s security is of the highest quality.

Although freely available and widely and openly distributed, the adage of caveat emptor (buyer beware) holds good, even in the “free software” arena. While no malicious code examples were flagged by the Norwegian trio of testers, the small sample they took from the may tens of thousands of available images wouldn’t be able to rule that possibility out.

Speaking to The Register, a spokesperson from Docker said:

“Docker is aware of the Norwegian University of Science and Technology (NTNU) analysis describing potential vulnerabilities of images on Docker Hub and it is consistent with other analysis before. We are currently reviewing the report to validate its claims and will continue to monitor the situation and communicate further to the Docker community as appropriate. Docker takes security seriously and actively works with Publishers to provide them tools to secure their images and encourage them to keep their software on Docker Hub up to date.”