Vulnerability analysis of Linux distributions and Docker container images
1University of Oulu, Faculty of Information Technology and Electrical Engineering, Information Processing Science
|Online Access:||PDF Full Text (PDF, 1.6 MB)|
|Persistent link:|| http://urn.fi/URN:NBN:fi:oulu-202106198598
Oulu : N. Oikarinen,
|Publish Date:|| 2021-06-22
|Thesis type:||Bachelor's thesis
Docker containers are an increasingly popular alternative for virtual machines, and they are widely used in small-scale and large-scale organizations alike. Containers are usually based on Linux distributions and vulnerabilities in these distributions affect all applications built upon these containers. The purpose of this study was to analyse the current security state of selected Linux distributions and provide insight about the overall security of Docker container usage.
The goal of this study was to recognize what components and component versions were used in different OS distributions and how vulnerable these components were. The amounts and severities of vulnerabilities were compared between different OS distributions. Changes in critical and high severity vulnerabilities were compared between container distribution versions. The lifetimes and types of fixed critical and high severity vulnerabilities were determined. Along with Docker containers corresponding ISO distributions were analysed for comparison.
Analysis of ISO and container distributions of Linux-based Debian, Ubuntu, and CentOS were conducted with Black Duck Binary Analysis (BDBA) software. BDBA is used to analyse the binary code of the distributions. Analysis results contain information about identified components, their versions, and vulnerabilities associated with them.
As a result, Debian, Ubuntu, and CentOS container distributions were considered secure. The observed container maintenance strategies differed between distributions: Debian and Ubuntu containers were updated periodically (approximately monthly), whereas CentOS container updates were tied to Linux ISO image updates — i.e., official releases. The number of critical vulnerabilities were low on all lately released containers. Fixed vulnerabilities between container releases varied a lot in age and severity. Even though containers are based on ISO distributions, different versions of same components were used in them making their vulnerability profile potentially different. In all distributions, software rotting was observed, and it is suggested that only latest versions of maintained distributions should be used, if there is no specific reason to not do so.
© Niina Oikarinen, 2021. This publication is copyrighted. You may download, display and print it for your own personal use. Commercial use is prohibited.