Aqua Blog

A Security Review of Docker Official Images: Which Do You Trust?

A Security Review of Docker Official Images: Which Do You Trust?

A key element in building secure containerized applications is to ensure that the base image that you use is well-maintained and secure. A common piece of advice is to use the Docker Official Images for this purpose. However, our research reveals that you need to be careful when using these images, as some are no longer fully maintained.

What are Docker Official Images?

The Docker Official Images are a set of base images hosted by Docker, maintained by the docker library project and the relevant upstream organization. In the Docker CLI, official images are shown in the listing as OFFICIAL, and they get a badge with their status in Docker Hub, as shown for the rails issue below:

rails-official-image-docker-hub

The official image set on Docker Hub is also easily spotted by the fact that you don’t need to specify a username when pulling them. For example, this line below will create a container based on the official Ubuntu image:

docker run -it ubuntu:20.04 /bin/bash

Scanning Docker Official Images

Using the Docker Hub API, we pulled the descriptions of the 167 official images. We then analyzed these for security vulnerabilities with Aqua’s Trivy scanner, using the “latest” tag where it was available and the “last updated” tag for images where there was no latest tag.

The first noticeable result was that a number of images were running unsupported operating systems — old versions of Debian or Alpine. A manual review of the Docker Hub pages showed that in some cases official images are no longer supported.

While these deprecation notices are visible in the detail of the image, it’s important to note that in the list of official images there is no notification and that the “last updated” dates are still being changed for deprecated images. For example, the deprecated Django image looks like this in the image list:

django-official-image

But viewing the details of its page shows it’s no longer maintained.

django-details-deprecated

A full list of deprecated official images is provided at the end of this post for reference. In addition to the images that had a formal deprecation notice, we found images with a large number of unpatched vulnerabilities but no formal deprecation information.

The following official images had more than 50 unpatched vulnerabilities when scanned with Trivy’s ignore-unfixed option:

  • nuxeo:latest – 186
  • backdrop:latest – 173
  • kaazing-gateway:latest – 95
  • centos:latest – 86

Of these, perhaps the most interesting is the CentOS image, which is a commonly used base image.

How much of a problem is this?

An interesting question related to this issue is how much these deprecated or vulnerable images are being used? Obviously, if no one is pulling the images, while it’s not ideal, it’s not a large issue.

Docker Hub’s API provides download counts, so by checking the image pull counts at two points in time, we can establish how many downloads they had. Looking at the period from July 29 to August 10 we can see the following download counts for deprecated or vulnerable images:

1 Name Downloads
2 centos 7,318,982
3 owncloud 627,277
4 java 486,064
5 sentry 304,940
6 django 69,925
7 piwik 33,945
8 nuxeo 19,560
9 backdrop 18,364
10 iojs 14,073
11 rails 12,262
12 jazzing-gateway 11,049
13 celery 9,651
14 known 7,833
15 glassfish 388
16 ubuntu-debootstrap 127
17 hipache 55
18 opensuse 14

While some of these downloads will be automated bots, it’s clear that some of these images are in relatively heavy use.

Conclusion

This research demonstrates the importance of keeping track of the images that you use, and not assuming that even official images from Docker Hub will be maintained in perpetuity.

It also reinforces the container security good practice of maintaining a set of base images for your organization in a container registry that you control and where you can manage the update process in line with your organization’s risk appetite.

Appendix – Official Docker Hub Deprecated Images

Image Notes
java On Docker Hub, this redirects to the OpenJDK page, but in the docker CLI it pulls an outdated image.
Django There is a deprecation notice pointing to the standard Python image.
iojs There is a deprecation notice pointing to the node image.
opensuse There is a deprecation notice pointing to opensuse/leap or opensuse/tumbleweed.
ubuntu-debootstrap There is a deprecation notice pointing to the Ubuntu image.
rails There is a deprecation notice pointing to the ruby image.
celery There is a deprecation notice pointing to the Python image.
glassfish There is a deprecation notice pointing to the glassfish/server image.
hipache There is a deprecation notice but not a specific image noted as being correct.
owncloud There is a deprecation notice pointing to owncloud/server.
piwik There is a deprecation notice pointing to the matomo image.
known There is a deprecation notice but not a specific image noted as being correct.
sentry There is a deprecation notice pointing to getsentry/docker-sentry.
jenkins There is a deprecation notice pointing to Jenkins/Jenkins:lts.
Rory McCune
Rory was a Cloud Native Security Advocate at Aqua. He has worked in the Information and IT Security arena for the last 20 years in a variety of roles. He is an active member of the container security community having delivered presentations at a variety of IT and Information security conferences. He has also presented at major containerization conferences and is an author of the CIS Benchmarks for Docker and Kubernetes and main author of the Mastering Container Security training course which has been delivered at numerous industry conferences including Blackhat USA.