But then it does a natural thing: it runs an apt-get install, pulling in packages from both Debian and an nginx repo. The Dockerfile for it begins with Debian:stretch-slim. What about the intermediate dependencies? Let s look at the build process for nginx.
#Java security exception jbidwatcher software
Let s further assume that your software package (WordPress, MySQL, whatever) is also being updated. Let s say your Docker image is using a base that is updated immediately when a security problem is found. Problem #3: No way to detect when intermediate libraries need to be updated The attack surface here is a lot larger than if you were just using a single OS. Here s the question: what do you know about the security practices of each of these organizations? How well updated are their base images? Even if it s Debian, how well updated is, for instance, the oldstable or the testing image? Go a little further, and you ll see Alpine Linux, CentOS, and many more represented. The bad news is that you see everything from Oracle Linux, to Ubuntu, to Debian testing, to Debian oldstable in just this list. The good news is that Debian jessie seems to be pretty popular here.
robotamer/citadel: debian:testing (dangerous, because testing is an alias for different distros at different times).wordpress: php:5.6-apache, eventually depends on debian:jessie.node: buildpack-deps:jessie, eventually depends on debian:jessie.mongo: debian:wheezy-slim (previous release).nginx: debian:stretch-slim (stretch is pre-release at this date!).Consider just these official images, and the bases they use: (tracking latest tag on each) Problem #2: Diverse and complicated vendor security pictureĭifferent images can use different operating system bases. There is work in this area tools such as watchtower help here.īut this can lead to a false sense of security, because: So, if a bug in a base image is found, and if the vendors work properly, and if you are somehow watching, then you could be protected.
#Java security exception jbidwatcher update
Theoretically, official OS base images will be updated when needed, and then other Docker hub images will detect the base update and be rebuilt. So how do you know when to do that? It is not all that obvious. The standard advice is to update/rebuild containers. Although a few people have suggested ways to run unattended-updates inside containers, there are many reasons that approach doesn t work well. Problem #1: No built-in way to know when a base needs to be updated, or to automatically update itįirst of all, there is nothing in Docker like unattended-updates.
As long as I use what s in Debian stable, all layers mentioned above will be protected using this scheme. Debian s security team generally backports fixes rather than just say here s the new version, making it very safe to automatically apply patches.
When the latest OpenSSL bug comes out, generally speaking by the time I wake up, unattended-updates has already patched it, needrestart has already restarted any server that uses it, and I m protected. If you run a Debian system, the combination of unattended-updates, needrestart, debsecan, and debian-security-support will help one keep a Debian system secure and verify it is. On Debian (and most of its best-known derivatives), we are extremely lucky to have a wonderful security support system.
Over 80% of the :latest versions of official images contained at least on high severity vulnerability!Īnd it s not the only one raising questions. I believe we have a fundamental problem here.Įarlier this month, a study on security vulnerabilities on Docker Hub came out, and the picture isn t pretty. This is about keeping what s inside each container secure. Much has been written about it, and about how secure the containerization is.
0 kommentar(er)
