"Researchers Find Vulnerabilities in Hundreds of Docker Containers"

Rezilion discovered hundreds of Docker container images with vulnerabilities that are not recognized by most standard vulnerability scanners and Software Composition Analysis (SCA) tools. Several high-severity/critical vulnerabilities were discovered in popular container images that had been downloaded collectively billions of times. This comprises high-profile vulnerabilities whose exploits are publicly available. CVE-2021-42013, CVE-2021-41773, and CVE-2019-17558 are some of the vulnerabilities that are known to be actively exploited in the wild and are listed in the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. The research delves into the inability to detect software components that package managers do not cover. The study explains how standard vulnerability scanners and SCA tools rely on acquiring data from package managers to know what packages exist in the scanned environment. This leaves them susceptible to missing vulnerable software packages in various common scenarios in which software is deployed in ways that bypass these package managers. This study reveals the gap and its influence on companies using third-party software. This article continues to discuss Rezilion's discovery of vulnerabilities in hundreds of Docker container images. 

Help Net Security reports "Researchers Find Vulnerabilities in Hundreds of Docker Containers"