A key element in building secure containerized applications is to ensure that the base image that you use is well-maintained and secure. A common piece of advice is to use the Docker Official Images for this purpose. However, our research reveals that you need to be careful when using these images, as some are no longer fully maintained.
What are Docker Official Images?
The Docker Official Images are a set of base images hosted by Docker, maintained by the docker library project and the relevant upstream organization. In the Docker CLI, official images are shown in the listing as OFFICIAL, and they get a badge with their status in Docker Hub, as shown for the rails issue below:
The official image set on Docker Hub is also easily spotted by the fact that you don’t need to specify a username when pulling them. For example, this line below will create a container based on the official Ubuntu image:
docker run -it ubuntu:20.04 /bin/bash
Scanning Docker Official Images
Using the Docker Hub API, we pulled the descriptions of the 167 official images. We then analyzed these for security vulnerabilities with Aqua’s Trivy scanner, using the “latest” tag where it was available and the “last updated” tag for images where there was no latest tag.
The first noticeable result was that a number of images were running unsupported operating systems — old versions of Debian or Alpine. A manual review of the Docker Hub pages showed that in some cases official images are no longer supported.
While these deprecation notices are visible in the detail of the image, it’s important to note that in the list of official images there is no notification and that the “last updated” dates are still being changed for deprecated images. For example, the deprecated Django image looks like this in the image list:
But viewing the details of its page shows it’s no longer maintained.
A full list of deprecated official images is provided at the end of this post for reference. In addition to the images that had a formal deprecation notice, we found images with a large number of unpatched vulnerabilities but no formal deprecation information.
The following official images had more than 50 unpatched vulnerabilities when scanned with Trivy’s ignore-unfixed option:
- nuxeo:latest – 186
- backdrop:latest – 173
- kaazing-gateway:latest – 95
- centos:latest – 86
Of these, perhaps the most interesting is the CentOS image, which is a commonly used base image.
How much of a problem is this?
An interesting question related to this issue is how much these deprecated or vulnerable images are being used? Obviously, if no one is pulling the images, while it’s not ideal, it’s not a large issue.
Docker Hub’s API provides download counts, so by checking the image pull counts at two points in time, we can establish how many downloads they had. Looking at the period from July 29 to August 10 we can see the following download counts for deprecated or vulnerable images:
1 | Name | Downloads |
2 | centos | 7,318,982 |
3 | owncloud | 627,277 |
4 | java | 486,064 |
5 | sentry | 304,940 |
6 | django | 69,925 |
7 | piwik | 33,945 |
8 | nuxeo | 19,560 |
9 | backdrop | 18,364 |
10 | iojs | 14,073 |
11 | rails | 12,262 |
12 | jazzing-gateway | 11,049 |
13 | celery | 9,651 |
14 | known | 7,833 |
15 | glassfish | 388 |
16 | ubuntu-debootstrap | 127 |
17 | hipache | 55 |
18 | opensuse | 14 |
While some of these downloads will be automated bots, it’s clear that some of these images are in relatively heavy use.
Conclusion
This research demonstrates the importance of keeping track of the images that you use, and not assuming that even official images from Docker Hub will be maintained in perpetuity.
It also reinforces the container security good practice of maintaining a set of base images for your organization in a container registry that you control and where you can manage the update process in line with your organization’s risk appetite.
Appendix – Official Docker Hub Deprecated Images
Image | Notes |
java | On Docker Hub, this redirects to the OpenJDK page, but in the docker CLI it pulls an outdated image. |
Django | There is a deprecation notice pointing to the standard Python image. |
iojs | There is a deprecation notice pointing to the node image. |
opensuse | There is a deprecation notice pointing to opensuse/leap or opensuse/tumbleweed. |
ubuntu-debootstrap | There is a deprecation notice pointing to the Ubuntu image. |
rails | There is a deprecation notice pointing to the ruby image. |
celery | There is a deprecation notice pointing to the Python image. |
glassfish | There is a deprecation notice pointing to the glassfish/server image. |
hipache | There is a deprecation notice but not a specific image noted as being correct. |
owncloud | There is a deprecation notice pointing to owncloud/server. |
piwik | There is a deprecation notice pointing to the matomo image. |
known | There is a deprecation notice but not a specific image noted as being correct. |
sentry | There is a deprecation notice pointing to getsentry/docker-sentry. |
jenkins | There is a deprecation notice pointing to Jenkins/Jenkins:lts. |