A scan of 4 Million Docker images reveals 51% have critical flaws

Security experts analyzed 4 million public Docker container images hosted on Docker Hub and found half of them was having critical flaws.

Container security firm Prevasio has analyzed 4 million public Docker container images hosted on Docker Hub and discovered that the majority of them had critical vulnerabilities.

The cybersecurity firm used its Prevasio Analyzer service that ran for one month on 800 machines.

51% of the 4 million images were including packages or app dependencies with at least one critical flaw and 13% had high-severity vulnerabilities.

“The dynamic analysis also revealed 6,432 malicious or potentially harmful container images, representing 0.16% of all publicly available images at Docker Hub.” reads the analysis published by Prevasio. “This report explains the work that we’ve done, our findings, the types of malware found and several typical examples of container images found to contain malicious or potentially harmful software.”

Researchers who focused on Linux container images only, revealed that nearly 1% of all images were excluded from the analysis because are built for Windows only and/or have no Linux-specific builds.

The researchers also discovered that 6,432 images included potentially malicious software, such as cryptocurrency miners (44%, 2,842 images and Pull count: 129.5M), hacking tools (20%, 1,269 images and Pull count: 70M), the malicious npm package flatmap-stream (23%, 1,482 images, Pull count: 95M), and tainted applications (trojanized WordPress plugins, Apache Tomcat, and Jenkins).

The total pull count of the malicious or potentially harmful images is over 300 million.

Some of the images contained dynamic payloads that at runtime were downloading the source code of a cryptocurrency miner and execute it.

Experts pointed out that currently, most of the malware found in the images targets Windows.

“The investigation conducted by Prevasio illustrates that Linux OS, and Linux containers in particular are not immune to security risks” concludes the report. “Our research shows that the primary security risk is enabled by critical vulnerabilities. More than half of all container images hosted by Docker Hub, contain one or more critical vulnerability, and are, therefore, potentially exploitable.Another risk is in the fact that out of 4 million publicly available images, 6,432 are found to contain malicious or potentially harmful code.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Docker)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.