BE’ER SHEVA, Israel, Feb. 23, 2023 /PRNewswire/ — Rezilion introduced as we speak the discharge of the corporate’s new analysis, “Hiding in Plain Sight: Hidden Vulnerabilities in Popular Open Source Containers,” uncovering the presence of a whole bunch of docker container pictures containing vulnerabilities that aren’t detected by most traditional vulnerability scanners and SCA instruments.
The analysis revealed quite a few excessive severity/essential vulnerabilities hidden in a whole bunch of fashionable container pictures, downloaded billions of instances collectively. This consists of high-profile vulnerabilities with publicly identified exploits. Some of the hidden vulnerabilities are identified to be actively exploited within the wild and are a part of the CISA identified exploited vulnerabilities catalog, together with CVE-2021-42013, CVE-2021-41773, CVE-2019-17558.
This discovering follows Part I of the analysis, launched in October, which was the primary high quality evaluation for main open-source and industrial vulnerability scanners and SCA instruments. The vulnerability scanner benchmark survey found the most typical causes for scanner misidentifications, together with false optimistic and destructive outcomes.
The new analysis dives deeper into one of many root causes recognized within the evaluation – lack of ability to detect software program elements not managed by package deal managers. The examine explains how the inherent methodology of operation of normal vulnerability scanners and SCA instruments depends on buying information from package deal managers to know what packages exist within the scanned setting, making them prone to lacking weak software program packages in a number of frequent eventualities by which software program is deployed in ways in which circumvent these package deal managers. This analysis exhibits exactly how vast this hole is and its influence on organizations utilizing third-party software program. The report gives quite a few real-world examples of a few of the hottest docker container pictures that include dozens of such hidden vulnerabilities. The report additionally presents suggestions on minimizing the danger introduced within the analysis.
According to the report, package deal managers circumventing deployment strategies are extraordinarily frequent in Docker containers. The analysis staff has recognized over 100,000 container pictures that deploy code in a approach that bypasses the package deal managers, together with most of DockerHub’s official container pictures. These containers both already include hidden vulnerabilities or are vulnerable to have hidden vulnerabilities if a vulnerability in one in all these elements is recognized.
The report identifies 4 completely different eventualities by which software program is deployed with out interplay with package deal managers, comparable to the applying itself, runtimes required for the operation of the applying, dependencies as are crucial for the applying to work, and dependencies required for the deployment/construct means of the applying that aren’t deleted on the finish of the container picture construct course of and exhibits how hidden vulnerabilities can discover their strategy to the container pictures.
“We hope this analysis will educate builders and safety practitioners of the existence of this hole in order that they may be capable of take acceptable actions to attenuate the danger in addition to push distributors and open-source initiatives so as to add help for these kind of eventualities,” mentioned Yotam Perkal, Director, Vulnerability Research at Rezilion. “It’s necessary to notice that so long as vulnerability scanners and SCA instruments fail to accommodate for these conditions, any container picture that installs packages or executables on this method might ultimately include ‘hidden’ vulnerabilities if any of those elements develop into weak.”
To obtain the total report, please go to: https://info.rezilion.com/scanner-research-part-ii
About Rezilion:
Rezilion’s software program provide chain safety platform routinely assures that the software program you utilize and ship is freed from danger. Rezilion detects third-party software program elements on any layer of the software program stack and understands the precise danger they carry, filtering out as much as 95% of recognized vulnerabilities. Rezilion then routinely mitigates exploitable danger throughout the SDLC, decreasing vulnerability backlogs and remediation timelines from months to hours, whereas giving DevOps groups time again to construct.
Learn extra about Rezilion’s platform at www.rezilion.com and get a 30-day free trial.