Vulnerability analysis of Linux distributions and Docker container images
Oikarinen, Niina (2021-06-10)
Oikarinen, Niina
N. Oikarinen
10.06.2021
© 2021 Niina Oikarinen. Tämä Kohde on tekijänoikeuden ja/tai lähioikeuksien suojaama. Voit käyttää Kohdetta käyttöösi sovellettavan tekijänoikeutta ja lähioikeuksia koskevan lainsäädännön sallimilla tavoilla. Muunlaista käyttöä varten tarvitset oikeudenhaltijoiden luvan.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:oulu-202106198598
https://urn.fi/URN:NBN:fi:oulu-202106198598
Tiivistelmä
Docker containers are an increasingly popular alternative for virtual machines, and they are widely used in small-scale and large-scale organizations alike. Containers are usually based on Linux distributions and vulnerabilities in these distributions affect all applications built upon these containers. The purpose of this study was to analyse the current security state of selected Linux distributions and provide insight about the overall security of Docker container usage.
The goal of this study was to recognize what components and component versions were used in different OS distributions and how vulnerable these components were. The amounts and severities of vulnerabilities were compared between different OS distributions. Changes in critical and high severity vulnerabilities were compared between container distribution versions. The lifetimes and types of fixed critical and high severity vulnerabilities were determined. Along with Docker containers corresponding ISO distributions were analysed for comparison.
Analysis of ISO and container distributions of Linux-based Debian, Ubuntu, and CentOS were conducted with Black Duck Binary Analysis (BDBA) software. BDBA is used to analyse the binary code of the distributions. Analysis results contain information about identified components, their versions, and vulnerabilities associated with them.
As a result, Debian, Ubuntu, and CentOS container distributions were considered secure. The observed container maintenance strategies differed between distributions: Debian and Ubuntu containers were updated periodically (approximately monthly), whereas CentOS container updates were tied to Linux ISO image updates — i.e., official releases. The number of critical vulnerabilities were low on all lately released containers. Fixed vulnerabilities between container releases varied a lot in age and severity. Even though containers are based on ISO distributions, different versions of same components were used in them making their vulnerability profile potentially different. In all distributions, software rotting was observed, and it is suggested that only latest versions of maintained distributions should be used, if there is no specific reason to not do so.
The goal of this study was to recognize what components and component versions were used in different OS distributions and how vulnerable these components were. The amounts and severities of vulnerabilities were compared between different OS distributions. Changes in critical and high severity vulnerabilities were compared between container distribution versions. The lifetimes and types of fixed critical and high severity vulnerabilities were determined. Along with Docker containers corresponding ISO distributions were analysed for comparison.
Analysis of ISO and container distributions of Linux-based Debian, Ubuntu, and CentOS were conducted with Black Duck Binary Analysis (BDBA) software. BDBA is used to analyse the binary code of the distributions. Analysis results contain information about identified components, their versions, and vulnerabilities associated with them.
As a result, Debian, Ubuntu, and CentOS container distributions were considered secure. The observed container maintenance strategies differed between distributions: Debian and Ubuntu containers were updated periodically (approximately monthly), whereas CentOS container updates were tied to Linux ISO image updates — i.e., official releases. The number of critical vulnerabilities were low on all lately released containers. Fixed vulnerabilities between container releases varied a lot in age and severity. Even though containers are based on ISO distributions, different versions of same components were used in them making their vulnerability profile potentially different. In all distributions, software rotting was observed, and it is suggested that only latest versions of maintained distributions should be used, if there is no specific reason to not do so.
Kokoelmat
- Avoin saatavuus [34357]