Top ten most popular docker images each contain at least 30 vulnerabilities

Currently reading
Top ten most popular docker images each contain at least 30 vulnerabilities

1,414
611
NAS
DS220+ : DS1019+ : DS216+II : DS118 : DS120j : APC Back UPS ES 700 — Mac/iOS user
I don’t know what to think! I’m still struggling trying to run things on Docker :)
 

fredbert

Moderator
NAS Support
Subscriber
1,441
604
NAS
DS218+, DS215j
Router
RT2600ac, MR2200ac
Operating system
macOS
Mobile operating system
iOS
:eek:

This is probably the biggest issue I have with the Docker respository(ies) ... many applications have multiple containers available and from different sources. It's difficult to know which is the safe(st) one to use and mostly the documentation about a container is very much lacking, and often limited to container 'gFrodod/gandalfsbrother' where there's no link to even say what gFrodod is. And is it better or worse than 'gFrodod/spacemarinereaper'?
 
Imho, vulnerabilities on the os level can be ignored as long as they are not dependencies for the core service inside the image.

On Docker Hub usualy official images are scannend for vulnerability and a report is available (see TAGS-tab in the repo). Go for images based on alpine if your want less vulnarabilites: usualy they include the bare minimum. Lesser packages mean lesser surface for vulnerabilites.

The realy thread are vulverabilities in the exposed application and the libraries it depends on.

Usualy a Dockerfile repo can be found for images on Github. You can always rebuild the image yourself.
Docker Hub has automated builds, which even allows to trigger a re-build when the upstream image was build - though, this only works, if the upstream image is not an official image (Imagine millions of custom images beeing re-build every time ubuntu, alpine or a debian base images are updated... this would put a lot of stress on Docker Hub)
 
Last edited:
349
90
NAS
DS418play
Router
RT2600ac, MR2200ac
Operating system
macOS, Windows
Mobile operating system
iOS
I mostly use official images or from linuxserver.

But what to do with for example MariaDB (that has vulnerabilities according to that report) that I need for some other images, I don't know.
 
349
90
NAS
DS418play
Router
RT2600ac, MR2200ac
Operating system
macOS, Windows
Mobile operating system
iOS
This one seems ok for monitoring Docker images: Docker Hub

But I don't like the option to update them automatically. I just want to monitor my image versions. There is an option for it, but not sure how to add it if I set up this container using Docker UI:

321
 
96
47
NAS
2x DS920+
Router
RT2600ac, MR2200ac
Operating system
Linux, macOS, Windows, other
Mobile operating system
iOS
Disagree. Updated doesn't mean safe. Losing control of updating concerns me more.
That's what the --no-pull option is for, as wwwampy said.
 
But what to do with for example MariaDB (that has vulnerabilities according to that report) that I need for some other images, I don't know.
That's fairly simple: separate each application stack (app+db+whatever) in it's own custom network. If an application in one of the stacks is hacked, worst case it can affect other containers in the same custom network. Each db should be used by a single stack. Unless the database is exposed to the internet directly (who would do that anyway?!), the remaining vector would be an exposed container beeing exploited and used for further attacks in the custom network. One should be more afraid of runing an internet exposed services with known vulnerabilities than of running a database with known vulnerabilities
 
349
90
NAS
DS418play
Router
RT2600ac, MR2200ac
Operating system
macOS, Windows
Mobile operating system
iOS
When opening the Github repo v2tec/watchtower a forward to containrrr/watchtower is done. I assume containrrr/watchtower is the successor of the unmaintained Dockerhub repo.
Great!

Also in the documentation, I can see this:

326


So I can add via Docker UI the Environment Variable: WATCHTOWER_NO_PULL and for value I add false. I guess this will work.


One should be more afraid of runing an internet exposed services with known vulnerabilities than of running a database with known vulnerabilities
Agree. I hope my services are ok :unsure:
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top