Container Security

In this section

Related articles

What is container security?Everything You Need to Know About Container ScanningDocker Security - Challenges & Best PracticeThree Steps to Container Image SecurityDocker Security Scanning Guide 2023

Top 5 Docker Security Vulnerabilities

Kubernetes Security: Common Issues and Best PracticesKubernetes Monitoring 2023 GuideThe Importance of Container MonitoringWhat is container orchestration?Everything you need to know about Container Runtime SecurityContainer registry security: security concerns for using a container registryMicroservices security: 6 best practice tipsCaaS: Container as a Service ExplainedSecuring Kubernetes in an ever changing ecosystemHow did the Department of Defense move to Kubernetes and Istio?

Want to try it for yourself?

Book a live demo

Top 5 Docker Security Vulnerabilities

How to prevent the most common Docker vulnerabilities in 2023

0 mins read

What is a Docker vulnerability?

A Docker vulnerability is any weakness within an image, container, or host that could potentially be exploited. When these vulnerabilities are discovered and publicly disclosed, they’re added to the Common Vulnerabilities and Exposures (CVE) list. In addition, the Common Vulnerability Scoring System (CVSS) publishes information about the severity of each vulnerability on the CVE List.

Top 5 Docker vulnerabilities that you need to know about

Here are the top five Docker vulnerabilities or CVEs development teams should watch out for.

1. CVE-2019-5736: RUNC CONTAINER BREAKOUT VULNERABILITY

There is a Docker vulnerability where it’s possible to overwrite the host `runc` binary and obtain root access on the host. When malicious actors have root access, they can escalate their privileges and stage devastating attacks. Fixing CVE-2019-5736 requires upgrading `container-common` for Docker instances running on Oracle Linux 8.

2. CVE-2022-0847: DIRTY PIPE

Another vulnerability due to improper initialization is CVE-2022-0847. Dubbed the “dirty pipe” by the security community, this flaw within the kernel pipeline implementation enables a malicious actor to change the content of files that they don’t have permission to change, and then escalate their privileges. Fixing this issue requires upgrading all Linux hosts to patched versions.

3. CVE-2021-21285: UNCONTROLLED RESOURCE CONSUMPTION

In older versions of Docker, there is a vulnerability where pulling a malformed Docker image manifest crashes the Docker daemon running on the host system. Fixing CVE-2021-21285 involves upgrading to a patched version of Docker, which prevents the daemon from crashing due to uncontrolled resource consumption.

4. CVE-2014-9356: DIRECTORY TRAVERSAL

CVE-2015-9356 is a directory traversal vulnerability affecting Docker version 1.3.3. A directory traversal (or path traversal) attack is a way to access files that shouldn’t be accessible by third parties — files that could contain application code or sensitive information. Upgrading to a patched version of Docker can ensure remote attackers won’t be able to exploit the path traversal vulnerability to bypass a container protection mechanism.

5. CVE-2019-14271: IMPROPER INITIALIZATION

In certain Docker versions, there’s a potential code injection vulnerability when the `nsswitch` (name service switch) dynamically loads a library inside a `chroot` (change root) operation that contains the contents of the container. In a code injection attack, an application executes unauthorized code from a malicious actor. Fixing CVE-2019-14271 requires upgrading the Docker CLI for Docker instances running on Oracle Linux 7.

For more information about other Docker vulnerabilities, see the Docker Top 10 vulnerabilities list published by the Open Web Application Security Project (OWASP).

Best practices to reduce Docker vulnerabilities

Although container security is a broad topic, there are a few best practices that can dramatically reduce Docker vulnerabilities. For example, leveraging automated tools to secure the container image, everything inside the container, and the runtime environment in which the container is deployed are effective tactics to increase container security. Learn more about Docker Security here.

Container scanning is an automated approach for detecting vulnerabilities within various components of containerized applications or workloads. These components include the software inside the container, how the container interacts with the host system and other containers, the configurations for networking and storage, and more.

Most container scanning tools leverage a vulnerability database as a trusted source of information about publicly disclosed security vulnerabilities. For example, Snyk’s Vulnerability Database enriches the CVE List and other public vulnerability sources with actionable insights. By including additional information for each Docker CVE, Snyk’s vulnDB enables developers to more easily remediate Docker security issues.

In addition to container scanning, container monitoring is the practice of tracking metrics about the health of containerized applications and workloads, as well as tracking potential exposure to any newly discovered vulnerabilities that may be present in running workloads. This ensures everything is working properly, and could even help reveal potential vulnerabilities, like uncontrolled resource consumption. Container scanning and container monitoring tools complement each other, protecting during the build stage and beyond.

Check out our cheat sheet for an in-depth list of Docker security best practices.

Docker security scanning with Snyk

Snyk offers comprehensive vulnerability scanning for all the components of modern applications, from the source code and open source dependencies to the containers and infrastructure as code configurations. That means Snyk can secure a Docker container image, the code and dependencies it contains, and the configurations used to deploy it.

As adoption for Docker grows, the partnership between Snyk and Docker continues to expand as well – and this is reflected in the Docker vulnerability scanning capabilities of Snyk. In fact, the `docker scan` command within the Docker Desktop CLI is powered by the Snyk platform. With Snyk and Docker together, development teams can build and deploy containers quickly and safely.

You can also learn more about container security and Docker with our 3 steps to container image security, produced with Docker.

Docker Vulnerabilities FAQs

Is Docker a secure platform?

The Docker platform itself isn’t inherently secure or insecure. While containers may be isolated from other processes on a host, additional security measures are still crucial to prevent container breakout and other types of vulnerabilities. An effective container security strategy for building and deploying containers is the best way to reduce the risk of a vulnerability, and in turn, an attack. Just like any other technology platform, following security best practices is the key to mitigating potential threats.

Are Docker images encrypted?

Docker images are not encrypted by default, but it is possible to utilize digital signatures to ensure the integrity of an image. Publishers can sign their image using the Docker Notary tool when they push images to a registry. By verifying the signature using Docker Content Trust, developers can trust that the images they pull or deploy from an image registry are the originals and haven’t been modified by a malicious actor.

What is “container breakout”?

Container breakout is a situation where a malicious actor is able to escape the isolation of a container and access host resources. Once a malicious actor has gained root access on the host, they can escalate their privileges and stage further attacks. A Docker security scanning tool can detect container breakout vulnerabilities (and other types of vulnerabilities) so that developers can patch them before they’re exploited.

Up Next

Kubernetes Security: Common Issues and Best Practices

Is Kubernetes secure? Learn more about Kubernetes security issues in a cloud native security context with tips to secure your K8 deployments.

Keep reading
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon