Aqua Blog

Vulnerability Management

Risk-Based Vulnerability Management in Container Images

Risk-Based Vulnerability Management in Container Images

There’s an overwhelming number of vulnerabilities in container images – and the security of your deployments is probably suffering because of it. No matter the size of your organization, it’s a significant challenge to identify the biggest risks to your business and know what to tackle first. Merely classifying and …

Continue reading ›
Cloud Native Security Best Practices: Vulnerability Management

Cloud Native Security Best Practices: Vulnerability Management

After four years of securing cloud native applications, our team at Aqua has learned a thing or two about applying best practices in the real world. We’ve seen many organizations succeed in establishing a sound process and tooling to achieve their security goals, and we’ve also seen those who struggle to prioritize …

Continue reading ›
Docker Image Scanning in your Codefresh Pipeline with Aqua

Docker Image Scanning in your Codefresh Pipeline with Aqua

There are many benefits to implementing CI/CD platforms, such as enabling fast and frequent release cycles of software and applications, but with great speed comes great responsibility. It is crucial to add security controls around container image creation and deployment to ensure that your applications are properly …

Continue reading ›
Mitigating Container Image Vulnerabilities with Aqua Vulnerability Shield™

Mitigating Container Image Vulnerabilities with Aqua Vulnerability Shield™

Managing known vulnerabilities in container images has been one of the first issues to get the attention of organizations that adopt containers. Knowing what vulnerabilities (CVEs) lurk in your image code is important, but fixing or patching the images that contain vulnerabilities has been a challenge, since it’s not …

Continue reading ›
Kubernetes API Server Patch DoS Vulnerability (CVE-2019-1002100)

Kubernetes API Server Patch DoS Vulnerability (CVE-2019-1002100)

A new medium severity vulnerability in the open source Kubernetes has been disclosed (CVE-2019-1002100) that can, if exploited, lead to a denial-of-service on the K8s API server, which in turn may lead to the cluster becoming inoperable.

The best mitigation is to remove the “patch” permissions from untrusted users, …

Continue reading ›
Severe Privilege Escalation Vulnerability in Kubernetes (CVE-2018-1002105)

Severe Privilege Escalation Vulnerability in Kubernetes (CVE-2018-1002105)

Earlier this week, a severe vulnerability in Kubernetes (CVE-2018-1002105) was disclosed that allows an unauthenticated user to perform privilege escalation and gain full admin privileges on a cluster. The CVE was given the high severity score of 9.8 (out of 10) and it affects all Kubernetes versions from 1.0 onwards, …

Continue reading ›
"Jack-in-the-Box" Vulnerability When Unpacking Images (CVE-2018-8115)

"Jack-in-the-Box" Vulnerability When Unpacking Images (CVE-2018-8115)

Last week, Michael Hanselmann published details of a remote code execution vulnerability (CVE-2018-8115) that impacts Docker for Windows. As he described it: “Docker for Windows uses the Windows Host Compute Service Shim published and maintained by Microsoft. Its use of Go's “filepath.Join” function with unsanitized …

Continue reading ›
Aqua’s MicroScanner: Free Image Vulnerability Scanner for Developers

Aqua’s MicroScanner: Free Image Vulnerability Scanner for Developers

At Aqua we’ve been working on a new, free-to-use tool for scanning your container images for package vulnerabilities. MicroScanner uses the same vulnerability database as Aqua’s best-in-class commercial scanner, so you’re getting top-notch results.

Continue reading ›
Using Aqua to Secure Applications on Pivotal Cloud Foundry

Using Aqua to Secure Applications on Pivotal Cloud Foundry

Many organizations use Pivotal Cloud Foundry (PCF), one of the world’s most powerful cloud native platforms. PCF enables developers and operators to iterate rapidly, and help expand and launch new businesses fast, as well as deliver extraordinary user experiences to their customers.

Continue reading ›
Protecting Hybrid-Cloud Workloads? Lessons from ESG Survey

Protecting Hybrid-Cloud Workloads? Lessons from ESG Survey

Today’s #1 Attack: Zero-day exploits of new and previously unknown vulnerability in apps and OSs

Container Security Top Challenges: Lack of adequate and disparate security tools, vulnerabilities in images, and the need for granular access-control between containers

Continue reading ›
eBPF Vulnerability (CVE-2017-16995): When the Doorman Becomes the Backdoor

eBPF Vulnerability (CVE-2017-16995): When the Doorman Becomes the Backdoor

Co-written by Nahman Khayet and Michael Cherny

eBPF Verifier Bypass Vulnerability

Around the last week of December a tweet by Bruce Leidl caught our eyes, since it said “Straight up unlimited R/W to all kernel memory”...

Continue reading ›