Report: Hundreds of Vulnerabilities Lurk Undetected in Containers
We’re excited to release an important piece of research today about dangerous vulnerabilities hiding in container images that are commonly used and found in organizations around the world.
The report, titled “Hiding in Plain Sight: Hidden Vulnerabilities in Popular Open Source Containers,” uncovers the presence of hundreds of Docker container images with vulnerabilities that are not detected by most standard vulnerability scanners and SCA tools – including DockerHub’s own vulnerability scans. These findings highlight the startling fact that common practices in the build process of almost every container image unknowingly introduces blindspots in the form of hidden vulnerabilities.
The research reveals these high severity/critical vulnerabilities hiding in containers are undetected yet downloaded billions of times. The findings include high-profile vulnerabilities with publicly known exploits. Their undetectable nature means the door is open for attackers to try and exploit them as defenders are simply unaware of their existence.
This finding follows Part I of research we conducted in October, which looked at leading open-source and commercial vulnerability scanners and SCA tools and discovered the most common causes for scanner misidentifications, including false positive and negative results. This new research now gives us even more information about the reasons behind these misleading results – that is, the inability to detect software components not managed by package managers.
We believe this research is important reading for both developers and security practitioners so they can understand that this gap exists in containers and take action to minimize the risk. We think an industry-wide conversation is also needed among vendors and open-source project leaders so we can move toward support for these types of scenarios. As long as vulnerability scanners and SCA tools are unable to support finding these hidden vulnerabilities, any container image that installs packages or executables may eventually be vulnerable to exploit.
To download the full report, please visit: https://info.rezilion.com/scanner-research-part-ii