Docker/Kubernetes Part 1: Exploitation in the Wild

From development through production, containerization is the current hot name of the game as this innovative concept has shifted into the mainstream.  While the most prominent names in containerization – Docker and Kubernetes – are not quite household words yet, neither are they appropriately described as new.  Of course, if you are a CISO who has only recently been startled to learn that some enterprising team members (likely without explicit authorization) took initiative to set up Kubernetes and launch some Docker instances to take advantage of the benefits of cloud-native development, you are not alone. 


DockerKubernetes Part 1 Exploitation in the Wild

With organizations looking with increasing frequency to migrate applications from virtual machine (VM) environments to containerized environments, we recently took a look at Docker/Kubernetes-associated vulnerabilities published to MITRE’s CVE list through the end of 2020. The vulnerabilities examined were those directly associated with the Docker or Kubernetes projects or related to the use, configuration, or implementation of these technologies.  Over a series of blog posts, we will share some of the insights we found during this investigation.  The observation we will share in this article is related to exploits in the wild. 

Exploitation in the wild 

It turns out that the number of different CVEs that are actually exploited in the wild is relatively low.  Studies of these numbers have resulted in values ranging from 1.3% to 15% in the nine studies we have read.  Our own data and analysis of the other studies suggest that ~3% is a reasonable estimate.  Regardless of the exact value, the results indicate that a large majority of vulnerabilities (85% – 98.7%) appear to never be exploited.  Our study of Docker/Kubernetes-related CVEs reinforces this understanding.  In the donut graph below, we show that the percentage of known exploited CVEs related to Docker/Kubernetes tracks with the general trend for all CVEs.   

Precisely determining the number of vulnerabilities that have actually been exploited in the wild is tricky.  Predicting what will be exploited is much harder.  Despite some NIST guidance suggesting that CVSS data can be used by itself to aid in prioritizing vulnerability remediation efforts,” some research has found that prioritizing patching by CVSS is no better than patching with random prioritization.  The pie graphs below seem to show that this understanding holds for Kubernetes (K8s) and Docker-related CVEs as well.  

cvss docker graphs

The graph on the left shows the distribution of all Kubernetes and Docker-related CVEs from 2014 – 2020 across the four CVSS severity categories.  The graph on the right depicts the CVSS category distribution of the 4% of Docker/Kubernetes-related CVEs that are known to have been exploited in the wild.  If CVSS were truly useful for prioritization, we could reasonably expect the right-hand graph to consist entirely of critical vulnerabilities.  The fact that it does not is really not surprising because the CVSS score is meant to be an objective, technical evaluation and, by design, does not consider any notion of a vulnerability’s subjective appeal to the hacker community. 

Our study of Docker/Kubernetes-related vulnerabilities highlights, once again, the need to fill the gap left when real-world threat and its associated risks are left out of vulnerability evaluation.  CYR3CON was founded on years of scientific research with a proven track record of applying AI to thorny threat prediction problems such as predicting road-side bomb locations in Iraq.  That same fundamental AI research was applied in the cybersecurity domain and resulted in the creation of CyRating to help IT practitioners prioritize the remediation of vulnerabilities based on real-world threat/risk. 

Read Part 2: Vulnerability Attribution


CYR3CON helps teams prioritize vulnerabilities and prevent breaches.  Contact us today to learn how we have become the most accurate, peer-reviewed, predictor of weaponized exploits.


About our guest author: Geoff Stoker, Ph.D., Assistant Professor University of North Carolina Wilmington (UNCW), former Chief Information Security Officer of the 82nd Airborne

Geoff Stoker served 24 ½ years in the U.S. Army including a four-year tour with the 82nd Airborne Division as the CISO, 15 months of which were spent in Afghanistan protecting coalition networks, and a three-year teaching stint as an Instructor/Assistant Professor/Course Director at the United States Military Academy (USMA), West Point. Since July 2016 he has worked with CYR3CON in various capacities including as an interface between customers and developers, internal tester, trainer, and technical writer. He earned his CS degrees from USMA (BS), the University of Virginia (MCS), and the University of Maryland, College Park (PhD).