Our fifth post in this series, covering details of Docker, is the complement to part four. Once again, this post assumes that readers understand how we selected and grouped the vulnerabilities – covered in Part 2. As a brief reminder, charts referencing Docker or Dock refer to those vulnerabilities that are directly or closely related to the Docker project technology while charts referencing “Docker Cfg” or just “Cfg” refer to vulnerabilities associated with someone’s particular use of that technology.
Docker CVSS1 Distribution
Docker vulnerabilities first show up in the CVE database starting with the 2014-named cohort. Comparing the distribution of the Docker platform and Docker configuration/distribution (Cfg) vulnerabilities’ CVSSv3 scores across the relevant named years (2014-2020) with the CVSSv3 scores of all published CVEs in those same cohorts, we find that both Docker groups’ CVEs’ scores tend to be overall rated as more severe than the general population of vulnerabilities. And, that the Cfg group is noticeably more severe than either the Docker platform group or all CVEs generally.
Looking a little more closely, we see that the total number of published Docker CVEs did not vary dramatically from 2014-2019 ranging from a low of 7 (2015) to a high of 17 (2019). Then, suddenly, there were nearly 50 in 2020 with almost 40 disclosed in December 2020 (we will discuss this spike in more detail shortly). As with Kubernetes, the number of vulnerabilities related to configuration/implementation issues has increased over time.
Compared to the distribution of CVSS scores among all CVEs across the cohorts of interest, it is noteworthy that Docker CVEs trend differently than Kubernetes CVEs. The High/Critical categories of all CVEs account for >50% of the CVSS distribution since 2016 (typically 40/60) compared to the Docker distribution which is 50% or better across the entire time period (since 2014) and exceeds the 40/60 split in all years except 2016 and 2017.
To better understand the situation with the December 2020 flurry of CVEs, we need to look back at CVE-2019-5021. That CVE revealed that a configuration weakness had been introduced in December 2015 and stated: Versions of the Official Alpine2 Linux Docker images (since v3.3) contain a NULL password for the ‘root’ user.
At the end of 2020, there were 16 CVEs disclosed that specifically reference Alpine and root as well as another 19 that made specific mention of root but did not mention Alpine. Two corresponding examples are:
- CVE-2020-29575: The official elixir Docker images before 1.8.0-alpine (Alpine specific) contain a blank password for a root user.
- CVE-2020-29389: The official Crux Linux Docker images 3.0 through 3.4 contain a blank password for a root user.
If we look at all critical Docker CVEs, we can see that two-thirds of them are attributed to individual configuration errors related to the issue of a blank root password; 31% specifically mention Alpine (and root), while 36% make only a mention of root. All Alpine-related CVEs seem to be specific instances of the general instance of CVE-2019-5021 and the others mentioning root might be considered as in the same spirit, so the large number of additional 2020 CVEs for Docker is a bit misleading. NOTE: Three CVEs mentioning Alpine/root (CVE-2020-35194, CVE-2020-35188, and CVE-2020-29589) were all published to the NVD in mid-December 2020, but then on 4 January 2021 had their description replaced with ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. It is not clear when or if the other Alpine/root-related vulnerabilities might have their descriptions changed as well.
Looking at CyRating for Docker CVEs as we did for Kubernetes CVEs, we see that for CyRatings >=5, Docker differs from CVEs in general for both the platform and configuration (Cfg) groups of vulnerabilities. Unlike the 70/30 split for all CVEs and the Kubernetes-related CVEs, Docker CVEs reflect an 80/20 split which indicates slightly less real-world risk to Docker CVEs which might be considered surprising as it is the opposite of what the CVSS comparison would predict.
The examination of these data might be summarized as follows. First, the number of yearly Docker-related CVEs was ~11 and varied moderately (+/-4) during 2014-2019. But then there was a large spike in reported Docker vulnerabilities in 2020 with 2/3 related to configuration issues with certain Docker images having a blank root password. Second, while the CVSSv3 scores of all CVEs since 2016 track consistently near a 40/60 split across the combined categories Low-Medium/High-Critical, Docker CVEs have trended higher and nearer a 30/70 split. Third, while the CVSS distribution indicates greater severity of Docker vulnerabilities, the real-world risk posed by these vulnerabilities is generally lower than the risk to all vulnerabilities as evidenced by a CyRating >5 that breaks at a 20/80 split for Docker compared with the more general 30/70 split for all CVEs.
CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today to learn how we have become the most accurate, peer-reviewed, predictor of weaponized exploits.
ATT&CK and Vulnerability Management Part 5: Disrupting Attack Sequences through Vulnerability Management
Docker/Kubernetes Part 6: Common Weakness Enumeration (CWE)
ATT&CK and Vulnerability Management Part 4: Using Intelligence to Generate Attack Sequences
ATT&CK and Vulnerability Management Part 3: Considerations in Aligning CVEs and ATT&CK Techniques