Researchers have revealed numerous critical and high severity vulnerabilities with exploits available publicly hidden in hundreds of popular container images,
Some vulnerabilities are part of the CISA KEV catalog, including CVE-2021-42013, CVE-2021-41773, CVE-2019-17558
The root causes identified in the assessment were the inability to detect software components not managed by package managers.
The standard vulnerability scanners and SCA tools relies on acquiring data from package managers to know what packages exist in the scanned environment, making them susceptible to missing vulnerable software packages in multiple common scenarios in which software is deployed in ways that circumvent these package managers.
The package managers circumventing deployment methods are common in Docker containers. Over 100,000 container images deploy code in a way that bypasses the package managers, including most of DockerHub’s official container images.
These containers either already contain hidden vulnerabilities or are prone to have hidden vulnerabilities if a vulnerability in one of these components is identified.
Four different scenarios in which software is deployed without interaction with package managers were identified such as the
- Application itself
- Runtimes required for the operation of the application
- Dependencies as necessary for the application to work
- Dependencies required for the deployment/build process of the application that are not deleted at the end of the container image build process and show how hidden vulnerabilities can find their way to the container images.
As long as vulnerability scanners and SCA tools fail to accommodate for these situations, any container image that installs packages or executables in this manner may eventually contain ‘hidden’ vulnerabilities if any of these components become vulnerable.