More than 30 percent of Docker Hub containers have security issues

Docker Hub has a problem. It’s not entirely unique to Docker Hub because it’s an issue facing just about any public repository. The issue is that flaws and vulnerabilities are discovered after the container images are pushed to Docker Hub but it’s not clear who–if anybody–is responsible for updating or maintaining the images.

I wrote about the security issues in Docker Hub in this blog post:

Docker Hub is an online repository for developers to share and collaborate on containers. It is a great service with tremendous potential to empower developers to work more efficiently and create incrementally better work by building on work that has already been done rather than reinventing the wheel from scratch every time. It also introduces some security concerns.

The security issue facing Docker Hub is similar to the issues facing just about any online, public platform. First of all, like the Google Play store it enables ethically-challenged developers to upload malicious content intentionally. Without some sort of gatekeeper to verify and approve containers in the Docker Hub it’s a bit of a “Wild West” scenario where you either have to trust that the container is secure or do your own due diligence before using it.

The second security concern—which is a much more prevalent and ongoing issue—is whether or not containers are maintained once they’re uploaded to Docker Hub. As new flaws or vulnerabilities are discovered that impact containers that have already been created who is responsible for making sure the containers are patched and updated?

A recent report suggests that this is a pretty big problem for Docker Hub. “Surprisingly, we found that more than 30 percent of images in official repositories are highly susceptible to a variety of security attacks (e.g., Shellshock, Heartbleed, Poodle, etc.),” according to a blog post from Banyan. “For general images – images pushed by docker users, but not explicitly verified by any authority – this number jumps up to ~40% with a sampling error bound of 3 percent.”

The situation is probably not any better for private repositories like Docker Trusted Registry. The Banyan post explains that the researchers expect that they’d find similar results if it looked into private registries. “Enterprises typically deploy containers continuously based on golden images that are periodically updated to have the latest packages. Even with these practices in place, enterprises remain susceptible to vulnerabilities; rigorous operations management practices with real-time monitoring are required to ensure security.”

Read the full post at ContainerJournal: The Security dilemma of Docker Hub.

• About
• Latest Posts

Tony Bradley

Editor-in-Chief at TechSpective

I have a passion for technology and gadgets--with a focus on Microsoft and security--and a desire to help others understand how technology can affect or improve their lives. I also love spending time with my wife, 7 kids, 4 dogs, 7 cats, a pot-bellied pig, and sulcata tortoise, and I like to think I enjoy reading and golf even though I never find time for either. You can contact me directly at tony@xpective.net. For more from me, you can follow me on Twitter, Facebook, Instagram and LinkedIn.

Latest posts by Tony Bradley (see all)

• Ransomware-Proof Your Data Backups with Immutability - April 10, 2024
• Unearthing Identity Threat Exposures - April 1, 2024
• Future of Tech and Cybersecurity Looks Bright Thanks to AI - March 26, 2024