Vulnerabilities in the Container Ecosystem: A Brief History
Now that containers have been around for a few years and have had their share of disclosed vulnerabilities, it’s time to revisit some of the more interesting ones and see if there’s a recurring theme or any underlying trend to highlight.
We found some of the more severe CVEs disclosed during 2017-2019 that affected the container ecosystem and listed them below. For details on each CVE, continue reading.
|CVE-2017-1002101||subPath Volume Mount Vulnerability||Docker|
|CVE-2018-1002105||Severe Privilege Escalation Vulnerability||Kubernetes|
|CVE-2018-8115||Windows Host Compute Service Shim (hcsshim)||Windows|
|CVE-2018-11757||Docker Skeleton Runtime Vulnerability||Docker|
|CVE-2018-1000056||Jenkins JUnit Plugin Vulnerability||Jenkins|
|CVE-2019-1002100||API Server Patch Permission DoS Vulnerability||Kubernetes|
|CVE-2019-5736||High Severity RunC Vulnerability||Docker|
|CVE-2019-1003065||Jenkins CloudShare Docker-Machine Plugin Vulnerability||Jenkins|
What Can We Learn from Vulnerabilities?
These CVEs demonstrate that key components in the toolchain and the stack, if vulnerable, can affect a containerized application. It’s not just the container code itself, or the container engine that may affect your security posture, but rather many elements across the stack.
These components may include:
- The host OS (Linux) and its kernel
- Jenkins, Docker, or any other tool involved in the process of building containers
- Kubernetes, and especially its API server, which is the control point of the entire cluster
Additionally, anything you put inside a container image that is vulnerable might affect your application. Code vulnerabilities inside containers can also, potentially, have a detrimental effect on the host and the cluster. This is especially the case when combined with other CVEs, or with bad practices, such as running with root privileges.
Security by Design
In addition to the shift-left approach of dealing with security issues early in the design phase before deployment and monitoring applications in runtime, I suggest using these Aqua tools to check for vulnerabilities:
- MicroScanner: A free tool used for scanning your container images for package vulnerabilities. If the MicroScanner finds a high-severity vulnerability, it returns a non-zero exit code (as well as reporting the details in JSON format), and that in turn fails the image build.
- Kube-Hunter: An open-source tool that hunts for Kubernetes security issues in your clusters. It was designed to increase awareness and visibility of the security controls in Kubernetes environments.
- Kube-Bench: An open-source tool that will help you configure your cluster more securely so that CVEs may have less impact. You can run it on each of your nodes to establish how well your deployment meets the best practice recommendations from the CIS community. Not only do you get information about whether each test passes or fails, but you also get advice on how to remediate any issues that have been detected.
There’s no way to prevent vulnerabilities entirely. Software has always had flaws and will continue to have them. However, we can take proactive measures to reduce their proliferation in containerized applications. We can practice security by design, both before deployment and during runtime, as an attempt to keep vulnerabilities at bay so they will occur with less frequency and have less impact.
Container Vulnerabilities and Mitigations
CVE-2017-1002101: subPath Volume Mount Vulnerability
CVE-2017-16995: eBPF Vulnerability
You can run Kube-Hunter on your network to discover whether your infrastructure is exposed to this vulnerability. It is used to discover all Kubernetes nodes in the network and to run automated penetration testing based on known vulnerabilities and exploitation techniques.
CVE-2018-8115: Windows Host Compute Service Shim (hcsshim)
CVE-2018-11757: Docker Skeleton Runtime Vulnerability
CVE-2018-1000056: Jenkins JUnit Plugin Vulnerability
CVE-2019-1002100: Mitigating the Kubernetes API Server Patch Permission DoS Vulnerability
CVE-2019-5736: High Severity RunC Vulnerability
CVE-2019-1003065: Jenkins CloudShare Docker-Machine Plugin Vulnerability
If exploited, an “attacker may leverage these issues to execute arbitrary script code in the browser of the victim in the context of the affected site, steal cookie-based authentication credentials, and gain access to sensitive information. This may aid in further attacks.”