Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Common Vulnerabilities & Exposures (CVE) In Doc...

jmortegac
October 17, 2018
Technology
3
550

Common Vulnerabilities & Exposures (CVE) In Docker Containers

CVEs are the standard source for vulnerability details and descriptions. Security professionals use CVEs to understand vulnerabilities and what can be done to prevent them.Securing application containers requires a security strategy which includes analyze and audit docker images layer by layer.

jmortegac

October 17, 2018
Tweet

More Decks by jmortegac

See All by jmortegac
Seguridad de APIs en Drupal: herramientas, mejores prácticas y estrategias para asegurar las APIs
jmortega
1
13
Security and auditing tools in Large Language Models (LLM)
jmortega
1
20
Herramientas de benchmarks para evaluar el rendimiento en máquinas y aplicaciones
jmortega
0
28
Asegurando tus APIs: Explorando el OWASP Top 10 de Seguridad en APIs
jmortega
1
51
PyGoat: Analizando la seguridad en aplicaciones Django
jmortega
1
160
Evolution of security strategies in K8s environments- All day devops
jmortega
1
50
Ciberseguridad en Blockchain y Smart Contracts: Explorando los desafíos y soluciones
jmortega
1
82
Evolution of security strategies in K8s environments
jmortega
1
37
Implementing Observability for Kubernetes
jmortega
1
28

Other Decks in Technology

See All in Technology
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
150
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
240
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
110
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
地理情報データをデータベースに格納しよう~ GPUを活用した爆速データベース PG-Stromの紹介 ~
sakaik
1
150
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
2
570
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
370
Can We Measure Developer Productivity?
ewolff
1
150
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
安心してください、日本語使えますよ―Ubuntu日本語Remix提供休止に寄せて― 2024-11-17
nobutomurata
0
980
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
740

Featured

See All Featured
Designing on Purpose - Digital PM Summit 2013
jponch
115
7k
It's Worth the Effort
3n
183
27k
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Being A Developer After 40
akosma
86
590k
Facilitating Awesome Meetings
lara
50
6.1k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Scaling GitHub
holman
458
140k

Transcript

  1. October 17, 2018 Common Vulnerabilities & Exposures (CVE) In Docker

    Containers José Manuel Ortega @jmortegac

  2. October 17, 2018 October 17, 2018 • Dockes images •

    Docker CVE and container threats • Container images scanning tools • NVD vulnerabilities & Vulners Agenda

  3. October 17, 2018 October 17, 2018

  4. October 17, 2018 October 17, 2018

  5. October 17, 2018 October 17, 2018 • Checking the software

    packages, binaries, libraries, operative system files, against one or more well known vulnerabilities databases. • Analyzing the Dockerfile and image metadata to detect security sensitive configurations • User defined policies like software packages blacklists, base images whitelists. Container image scanning

  6. October 17, 2018 October 17, 2018

  7. October 17, 2018 October 17, 2018 Docker CVE https://www.docker.com/docker-cve-database

  8. October 17, 2018 October 17, 2018 https://www.saucs.com/cve?vendor=docker

  9. October 17, 2018 October 17, 2018 https://www.cvedetails.com/product/28125/Docker-Docker.html?vendor_id=13534

  10. October 17, 2018 October 17, 2018

  11. October 17, 2018 October 17, 2018 • The Dirty Cow

    exploit on the Linux kernel allowing root privilege escalation on a host or container. • OpenSSL heap corruption caused by malformed key header and a crash caused by the presence of a specific extension. • Buffer overflow in Ruby and Python libraries allowing execution of malicious code. • Vulnerabilities like the glibc stack-based buffer overflow • SQL injection attacks that put hackers in control of a database container in order to steal data Container threats

  12. October 17, 2018 October 17, 2018

  13. October 17, 2018 October 17, 2018

  14. October 17, 2018 October 17, 2018

  15. October 17, 2018 October 17, 2018

  16. October 17, 2018 October 17, 2018 CVSS = Impact ×

    Exploitability

  17. October 17, 2018 October 17, 2018

  18. October 17, 2018 October 17, 2018 DirtyCow https://security-tracker.debian.org/tracker/CVE-2016-5195

  19. October 17, 2018 October 17, 2018 DirtyCow https://security-tracker.debian.org/tracker/CVE-2016-5195

  20. October 17, 2018 October 17, 2018 DirtyCow https://github.com/gebl/dirtycow-docker-vdso

  21. October 17, 2018 October 17, 2018 DirtyCow dockerfile

  22. October 17, 2018 October 17, 2018 DirtyCow execution

  23. October 17, 2018 October 17, 2018 Prevent DirtyCow with apparmor

  24. October 17, 2018 October 17, 2018 Jack-in-the-Box" Vulnerability When Unpacking

    Images (CVE-2018-8115) • Patched in Community version (Docker CE 18.03.1 and Docker CE 17.05.0-rc1) • https://github.com/aquasecurity/scan-cve-2 018-8115

  25. October 17, 2018 October 17, 2018 https://github.com/aquasecurity/scan-cve-2018-8115/blob/master/ verify.py

  26. October 17, 2018 October 17, 2018 Most vulnerable packages

  27. October 17, 2018 October 17, 2018 • CoreOS/Clair(Ubuntu CVE Tracker

    Debian Security Bug Tracker, Red Hat Security Data) • Anchore Engine • Dagda Container image scanning open-source tools

  28. October 17, 2018 October 17, 2018

  29. October 17, 2018 October 17, 2018

  30. October 17, 2018 October 17, 2018 $ docker exec clair_clair

    analyzer <image_name>

  31. October 17, 2018 October 17, 2018 • Extract build, installed

    packages, and other system’s information • Scan images for known vulnerabilities with anchore CLI Anchore engine

  32. October 17, 2018 October 17, 2018 Anchore engine

  33. October 17, 2018 October 17, 2018 Anchore architecture

  34. October 17, 2018 October 17, 2018 Anchore navigator

  35. October 17, 2018 October 17, 2018 Anchore cli

  36. October 17, 2018 October 17, 2018 Anchore cli

  37. October 17, 2018 October 17, 2018

  38. October 17, 2018 October 17, 2018

  39. October 17, 2018 October 17, 2018

  40. October 17, 2018 October 17, 2018

  41. October 17, 2018 October 17, 2018

  42. October 17, 2018 October 17, 2018

  43. October 17, 2018 October 17, 2018

  44. October 17, 2018 October 17, 2018

  45. October 17, 2018 October 17, 2018 NVD vulnerabilities https://github.com/linxack/nvdparser

  46. October 17, 2018 October 17, 2018 NVD vulnerabilities

  47. October 17, 2018 October 17, 2018 Vulners

  48. October 17, 2018 October 17, 2018

  49. October 17, 2018 October 17, 2018 Vulners

  50. October 17, 2018 October 17, 2018

  51. October 17, 2018 October 17, 2018 Vulners

  52. October 17, 2018 October 17, 2018 Vulners

  53. October 17, 2018 October 17, 2018 Vulners

  54. October 17, 2018

  55. October 17, 2018 Thank You Supporters

  56. October 17, 2018 Meet me in the Slack channel for

    Q&A bit.ly/addo-slack