The vulnerabilities exploit a confused deputy attack. An unauthorized user can manipulate a privileged process to perform actions on their behalf, without having the necessary rights themselves. Specifically, attackers abuse tools such as Sudo or Postfix to modify AppArmor profiles via pseudo-files such as /sys/kernel/security/apparmor/.load and .replace.
Chainguard draws on telemetry from 290,000 images and almost half a billion builds to examine how customers actually consume and maintain open source components. It finds that foundational language and infrastructure images such as Python, Node, nginx, Go and Redis dominate production usage, forming what it describes as the baseline stack for the modern AI-driven software ecosystem.
Almost a quarter of those surveyed said they had experienced a container-related security incident in the past year. The bottleneck is rarely in detecting vulnerabilities, but mainly in what happens next. Weeks or months can pass between the discovery of a problem and the actual implementation of a solution. During that period, applications continued to run with known risks, making organizations vulnerable, reports The Register.
Docker is launching a new subscription service for its Hardened Images catalog. The secure container images are designed to help organizations achieve near-zero CVEs without the high costs that were previously associated with this. With this launch, Docker is committed to democratizing container security. Every developer often starts their journey at Docker Hub. According to the company, this first step should be secure by default, without a premium price tag.