For our sixth and final post in this series about Docker and Kubernetes, we take a look at how the Docker and Kubernetes vulnerabilities map to the hierarchical common weakness enumeration (CWE) list. If you missed part 2, you need to know for the discussion below that we refer to the relevant/partly relevant vulnerability groups as the platform name abbreviation, K8s or Dock, and to the configuration/distribution-related vulnerability groups as K8s Dist or Dock Cfg. For more details, refer to part 2.
The MITRE site currently maintains a list of 918 software and hardware weaknesses classified with Common Weakness Enumeration (CWE) numbers. One interesting product derived from analysis of CVE-CWE mappings is the “2020 CWE Top 25 Most Dangerous Software Weaknesses” which is a list compiled from data over the previous two calendar years that scores each CWE based on prevalence and severity. As part of our analysis of Kubernetes and Docker-related CVEs, we generated Top 10 lists for each of the four categories we have been looking at by combining prevalence and CyRating-based severity. We compared the CWEs enumerated in the Top 25 list with the generated Top 10 lists, the results of which are in the table below.
Among the Top 25’s 10 highest scoring CWEs, half did not show up in our Top 10 lists while the other half covered 22.5% of the lists’ CWEs (orange shading). Two-thirds of the Top 25’s 11-25 CWEs covered another 32.5% of the Kubernetes/Docker-related CWEs (bold). While the Top 25 list provides somewhat useful data regarding the most common and impactful issues across all CVEs, as a resource for providing insight to the most severe and current security weaknesses of Docker/Kubernetes, the Top 25 list seems to not really be much more useful than random when identifying CVEs that are of the most interest to hackers. Nearly half (45%) of the top 10 CWEs across the Docker/Kubernetes vulnerability categories had no coverage from the Top 25 list.
We hope you've enjoyed this series of posts on container vulnerabilities. CYR3CON helps teams prioritize vulnerabilities and prevent breaches. Contact us today to learn how we have become the most accurate, peer-reviewed, predictor of weaponized exploits.