Docker official images

A Security Review of Docker Official Images: Which Do You Trust?

A key element in building secure containerized applications is to ensure that the base image that you use is well-maintained and secure. A common piece of advice is to use the Docker Official Images for this purpose. However, our research reveals that you need to be careful when using these images, as some are no longer fully maintained.

What are Docker Official Images?

The Docker Official Images are a set of base images hosted by Docker, maintained by the docker library project and the relevant upstream organization. In the Docker CLI, official images are shown in the listing as OFFICIAL, and they get a badge with their status in Docker Hub, as shown for the rails issue below:

rails-official-image-docker-hub

The official image set on Docker Hub is also easily spotted by the fact that you don’t need to specify a username when pulling them. For example, this line below will create a container based on the official Ubuntu image:

docker run -it ubuntu:20.04 /bin/bash

Scanning Docker Official Images

Using the Docker Hub API, we pulled the descriptions of the 167 official images. We then analyzed these for security vulnerabilities with Aqua’s Trivy scanner, using the “latest” tag where it was available and the “last updated” tag for images where there was no latest tag.

The first noticeable result was that a number of images were running unsupported operating systems — old versions of Debian or Alpine. A manual review of the Docker Hub pages showed that in some cases official images are no longer supported.

While these deprecation notices are visible in the detail of the image, it’s important to note that in the list of official images there is no notification and that the “last updated” dates are still being changed for deprecated images. For example, the deprecated Django image looks like this in the image list:

django-official-image

But viewing the details of its page shows it’s no longer maintained.

django-details-deprecated

A full list of deprecated official images is provided at the end of this post for reference. In addition to the images that had a formal deprecation notice, we found images with a large number of unpatched vulnerabilities but no formal deprecation information.

The following official images had more than 50 unpatched vulnerabilities when scanned with Trivy’s ignore-unfixed option:

  • nuxeo:latest - 186
  • backdrop:latest - 173
  • kaazing-gateway:latest - 95
  • centos:latest - 86

Of these, perhaps the most interesting is the CentOS image, which is a commonly used base image.

How much of a problem is this?

An interesting question related to this issue is how much these deprecated or vulnerable images are being used? Obviously, if no one is pulling the images, while it’s not ideal, it’s not a large issue.

Docker Hub’s API provides download counts, so by checking the image pull counts at two points in time, we can establish how many downloads they had. Looking at the period from July 29 to August 10 we can see the following download counts for deprecated or vulnerable images:

vulnerable container images list

While some of these downloads will be automated bots, it’s clear that some of these images are in relatively heavy use.

Conclusion

This research demonstrates the importance of keeping track of the images that you use, and not assuming that even official images from Docker Hub will be maintained in perpetuity.

It also reinforces the container security good practice of maintaining a set of base images for your organization in a container registry that you control and where you can manage the update process in line with your organization’s risk appetite.

trivy scanner

Appendix - Official Docker Hub Deprecated Images

Image

Notes

java

On Docker Hub, this redirects to the OpenJDK page, but in the docker CLI it pulls an outdated image.

Django

There is a deprecation notice pointing to the standard Python image.

iojs

There is a deprecation notice pointing to the node image.

opensuse

There is a deprecation notice pointing to opensuse/leap or opensuse/tumbleweed.

ubuntu-debootstrap

There is a deprecation notice pointing to the Ubuntu image.

rails

There is a deprecation notice pointing to the ruby image.

celery

There is a deprecation notice pointing to the Python image.

glassfish

There is a deprecation notice pointing to the glassfish/server image.

hipache

There is a deprecation notice but not a specific image noted as being correct.

owncloud

There is a deprecation notice pointing to owncloud/server.

piwik

There is a deprecation notice pointing to the matomo image.

known

There is a deprecation notice but not a specific image noted as being correct.

sentry

There is a deprecation notice pointing to getsentry/docker-sentry.

jenkins

There is a deprecation notice pointing to Jenkins/Jenkins:lts.

 

Picture of Rory McCune

Rory McCune

Rory is a Cloud Native Security Advocate at Aqua. He has worked in the Information and IT Security arena for the last 20 years in a variety of roles. He is an active member of the container security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of the Mastering Container Security training course which has been delivered at numerous industry conferences including Blackhat USA. When he's not working, Rory can generally be found out walking and enjoying the scenery of the Scottish highlands.

Docker Security, Container Security, Application Security, Image Vulnerability Scanning

Subscribe to Email Updates

Popular Posts

Filter by Topic

Show more...