Dear all,
I think more and more of our customers are using docker. Many of them simply build their application on top of the official docker image. As stated in
Half of all Docker Hub images have at least one critical vulnerability
| CSO Online |
remove preview |
|
| Half of all Docker Hub images have at least one critical vulnerability |
| A new security analysis of the 4 million container images hosted on the Docker Hub repository revealed that more than half contained at least one critical vulnerability. The review also identified thousands of images that contained malware or potentially harmful applications, highlighting the need for organizations to have strict policies and review processes in place for sourcing container images and third-party software components in general from public repositories. |
| View this on CSO Online > |
|
|
, many of the official docker images contain vulnerable package. Such as Bitnami image rely on Debian 10. When we performed the package scanning using solution such as SNYK, then it was found to have hundreds of vulnerabilities due to out of date packages.
However, our customer's SI team stated that the image is already official package from docker site but as the SNYK stated there is no fix, then what should they do?
We observed that many of them are classified as critical or high in CVE. So what should we propose they should do? Is there any other solutions or methods other than asking the SI to build the image directly themselves.
Is there any suggestions from the industry best practices or solutions? Any documents from CSA cover this vulnerability management part?
Pls advise
------------------------------
Ricci Ieong
consultant
ewalker consulting
------------------------------