Rezilion announced today the release of their new research, "Hiding in Plain Sight: Hidden Vulnerabilities in Popular Open Source Containers," uncovering the presence of hundreds of docker container images containing vulnerabilities that are not detected by most standard vulnerability scanners and SCA tools. The research revealed numerous high severity/critical vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively, including CVE-2021-42013, CVE-2021-41773, and CVE-2019-17558.
The research dives deeper into one of the root causes identified in the assessment - inability to detect software components not managed by package managers. The study explains how the inherent method of operation of standard vulnerability scanners and SCA tools relies on acquiring data from package managers to know what packages exist in the scanned environment, making them susceptible to missing vulnerable software packages in multiple common scenarios. The report provides numerous real-world examples of some of the most popular docker container images that contain dozens of such hidden vulnerabilities.
According to Yotam Perkal, Director of Vulnerability Research at Rezilion, "We hope this research will educate developers and security practitioners of the existence of this gap so that they will be able to take appropriate actions to minimize the risk as well as push vendors and open-source projects to add support for these types of scenarios. It's important to note that as long as vulnerability scanners and SCA tools fail to accommodate for these situations, any container image that installs packages or executables in this manner may eventually contain 'hidden' vulnerabilities if any of these components become vulnerable."