BE’ER
SHEVA, Israel, Feb.
23,
2023 /PRNewswire/
— Rezilion announced
today
the
release
of
the
company’s
new
research,
“Hiding
in
Plain
Sight:
Hidden
Vulnerabilities
in
Popular
Open
Source
Containers,”
uncovering
the
presence
of
hundreds
of
docker
container
images
containing
vulnerabilities
that
are
not
detected
by
most
standard
vulnerability
scanners
and
SCA
tools.
The
research
revealed
numerous
high
severity/critical
vulnerabilities
hidden
in
hundreds
of
popular
container
images,
downloaded
billions
of
times
collectively.
This
includes
high-profile
vulnerabilities
with
publicly
known
exploits.
Some
of
the
hidden
vulnerabilities
are
known
to
be
actively
exploited
in
the
wild
and
are
part
of
the
CISA
known
exploited
vulnerabilities
catalog,
including CVE-2021-42013, CVE-2021-41773, CVE-2019-17558.
This
finding
follows
Part
I
of
the
research,
released
in
October,
which
was
the
first
quality
assessment
for
leading
open-source
and
commercial
vulnerability
scanners
and
SCA
tools.
The
vulnerability
scanner
benchmark
survey
discovered
the
most
common
causes
for
scanner
misidentifications,
including
false
positive
and
negative
results.
The
new
research
dives
deeper
into
one
of
the
root
causes
identified
in
the
assessment
–
inability
to
detect
software
components
not
managed
by
package
managers.
The
study
explains
how
the
inherent
method
of
operation
of
standard
vulnerability
scanners
and
SCA
tools
relies
on
acquiring
data
from
package
managers
to
know
what
packages
exist
in
the
scanned
environment,
making
them
susceptible
to
missing
vulnerable
software
packages
in
multiple
common
scenarios
in
which
software
is
deployed
in
ways
that
circumvent
these
package
managers.
This
research
shows
precisely
how
wide
this
gap
is
and
its
impact
on
organizations
using
third-party
software.
The
report
provides
numerous
real-world
examples
of
some
of
the
most
popular
docker
container
images
that
contain
dozens
of
such
hidden
vulnerabilities.
The
report
also
offers
recommendations
on
minimizing
the
risk
presented
in
the
research.
According
to
the
report,
package
managers
circumventing
deployment
methods
are
extremely
common
in
Docker
containers.
The
research
team
has
identified
over
100,000
container
images
that
deploy
code
in
a
way
that
bypasses
the
package
managers,
including
most
of
DockerHub’s
official
container
images.
These
containers
either
already
contain
hidden
vulnerabilities
or
are
prone
to
have
hidden
vulnerabilities
if
a
vulnerability
in
one
of
these
components
is
identified.
The
report
identifies
four
different
scenarios
in
which
software
is
deployed
without
interaction
with
package
managers,
such
as
the
application
itself,
runtimes
required
for
the
operation
of
the
application,
dependencies
as
are
necessary
for
the
application
to
work,
and
dependencies
required
for
the
deployment/build
process
of
the
application
that
are
not
deleted
at
the
end
of
the
container
image
build
process
and
shows
how
hidden
vulnerabilities
can
find
their
way
to
the
container
images.
“We
hope
this
research
will
educate
developers
and
security
practitioners
of
the
existence
of
this
gap
so
that
they
will
be
able
to
take
appropriate
actions
to
minimize
the
risk
as
well
as
push
vendors
and
open-source
projects
to
add
support
for
these
types
of
scenarios,”
said Yotam
Perkal,
Director,
Vulnerability
Research
at
Rezilion.
“It’s
important
to
note
that
as
long
as
vulnerability
scanners
and
SCA
tools
fail
to
accommodate
for
these
situations,
any
container
image
that
installs
packages
or
executables
in
this
manner
may
eventually
contain
‘hidden’
vulnerabilities
if
any
of
these
components
become
vulnerable.”
To
download
the
full
report,
please
visit: https://info.rezilion.com/scanner-research-part-ii
About
Rezilion:
Rezilion’s
software
supply
chain
security
platform
automatically
assures
that
the
software
you
use
and
deliver
is
free
of
risk.
Rezilion
detects
third-party
software
components
on
any
layer
of
the
software
stack
and
understands
the
actual
risk
they
carry,
filtering
out
up
to
95%
of
identified
vulnerabilities.
Rezilion
then
automatically
mitigates
exploitable
risk
across
the
SDLC,
reducing
vulnerability
backlogs
and
remediation
timelines
from
months
to
hours,
while
giving
DevOps
teams
time
back
to
build.
Learn
more
about
Rezilion’s
platform
at www.rezilion.com and
get
a
30-day
free
trial.
About Author
