Well Begun is Half Done: An Empirical Study of Exploitability & Impact of Base-Image Vulnerabilities

TL;DR

This empirical study investigates the exploitability and impact of vulnerabilities in container base-images, analyzing their prevalence and characteristics in open-source containerized software to improve security awareness.

Contribution

It provides the first comprehensive empirical analysis of base-image vulnerabilities, characterizing their exploitability, impact, and prevalence in real-world containerized applications.

Findings

Identified 1,983 unique vulnerabilities in base-images.

Discovered 13 novel insights about vulnerability exploitability and impact.

Found widespread presence of vulnerable base-images in open-source projects.

Abstract

Container technology, (e.g., Docker) is being widely adopted for deploying software infrastructures or applications in the form of container images. Security vulnerabilities in the container images are a primary concern for developing containerized software. Exploitation of the vulnerabilities could result in disastrous impact, such as loss of confidentiality, integrity, and availability of containerized software. Understanding the exploitability and impact characteristics of vulnerabilities can help in securing the configuration of containerized software. However, there is a lack of research aimed at empirically identifying and understanding the exploitability and impact of vulnerabilities in container images. We carried out an empirical study to investigate the exploitability and impact of security vulnerabilities in base-images and their prevalence in open-source containerized software. We considered base-images since container images are built from base-images that provide all the core functionalities to build and operate containerized software. We discovered and characterized the exploitability and impact of security vulnerabilities in 261 base-images, which are the origin of 4,681 actively maintained official container images in the largest container registry, i.e., Docker Hub. To characterize the prevalence of vulnerable base-images in real-world projects, we analysed 64,579 containerized software from GitHub. Our analysis of a set of $1,983$ unique base-image security vulnerabilities revealed 13 novel findings. These findings are expected to help developers to understand the potential security problems related to base-images and encourage them to investigate base-images from security perspective before developing their applications.