Get the latest, first
Uncover the CVE shocking truth – image vulnerabilities exposed and prioritized

Uncover the CVE shocking truth – image vulnerabilities exposed and prioritized

Jul 6, 2023

Ben Hirschberg
CTO & Co-founder

Scanning containers’ images is not enough, pinpointing the CVEs that impact your security posture is key.

Public images are a key component of the cloud-native ecosystem. Also known as container images, they are pre-built and publicly available software packages that contain all the necessary dependencies and configurations for an application to run in a containerized environment. They allow developers to quickly and easily deploy applications without having to worry about building and maintaining their own images.

Unfortunately, they typically come with many vulnerabilities. When you incorporate these images, your system becomes susceptible to these vulnerabilities. While top vulnerability scanners can identify and rate these vulnerabilities based on the CVSS (Common Vulnerability Scoring System) score, it’s important to note that this alone does not drive a solution. In fact, the scan result is often a very long list of vulnerabilities and their scores, with no further insights. This can lead to a phenomenon known as “CVE Shock.”

In this blog post we will introduce the concept of relevancy of vulnerabilities to a specific Kubernetes infrastructure. We will show how pinpointing relevant vulnerabilities cuts the number of CVEs that need to be addressed by over 60%. 

About the research

ARMO security researchers took ten of the most popular container images and analyzed the results of a regular vulnerability scan vs. one that filters for relevant ones

The images selected:

Redisredis:7.0.11-alpine
Nginxnginx:1.14.2
Elasticsearchelasticsearch:8.5.1
Kafkawurstmeister/kafka:2.12-2.3.0
Zookeeperzookeeper:3.7.0-debian-10-r70
Mysqlmysql:5.7.25
Postgrespostgres:9.6.18
MongoDBmongo:4
Grafanagrafana:9.5.3
ArgoCDargocd:v2.7.4
Details of the images scanned for vulnerabilities by ARMO Platform

Environment details: We ran Kubernetes 1.27 on Minikube 1.27

Please note that results may vary, depending on the image version, time of scanning and your specific environment.

Research results

Consider Redis. Redis is an open-source, in-memory data structure store used as a database, cache, and message broker. When running the Redis image noted above, ARMO security researchers found the following results:

CriticalHighMediumLowNegligibleTotal% Reduction
Regular Scan31549528383%
Relevancy Scan2243314
Detailed results of the Redis image scan

We can see that running a vulnerability scan on the Redis image yields 83 vulnerabilities. When looking through the lens of relevancy that number shrinks to 14, which represents an 83% reduction.

For those of you that are more visual, you can see the impressive reduction in the following chart:

Redis vulnerabilities by CVSS score

The implication of this exercise is that users of the Redis image in question, on the environment in question need to fix only 14 CVEs in order to create a real impact on their security posture.

The scan results of the other images that were checked are summarized in the charts below:

Relevant CVEs CVEs to deal with later 
Legend👆
Only 4.8% relevant CVEs for
Nginx
Less than half relevant CVEs for Elasticsearch
Only 6.7% relevant CVEs for
Kafka
Less than 25% relevant CVEs for Zookeeper

Only 1.9% relevant CVEs for MySQL
Only 17.2% relevant CVEs for MongoDB
Only 13% relevant CVEs for Postgres
Only 19% relevant CVEs for ArgoCD
Nearly 80% relevant CVEs for Grafana

For those of you that want to dive deeper into the numbers, you can use the source data as represented in the following table:

CVEsCriticalHighMediumLowNegligibleTotal% Reduction
container imagesallrelallrelallrelallrelallrelallrel
Nginx553102585652210233961995%
Elasticsearch44444211525433019222510354%
Kafka2367627470254851315110697293%
Zookeeper428122169022025632021213175043175%
Mysql270592290551902260598%
Postgres191344245234034851015125119115587%
MongoDB0011322223029583%
ArgoCD328416526050581181%
Grafana3311522202200383021%
Detailed CVE counts of images scanned for vulnerabilities

It is important to note the significant number of vulnerabilities that are classified as medium or low based on their CVSS score. Malicious actors are well aware of the common practice among Kubernetes infrastructure security teams to prioritize patching or mitigating vulnerabilities with the highest CVSS score. As a result, lower-scoring but still relevant vulnerabilities can often remain unaddressed for extended periods, ranging from weeks to even months. These overlooked vulnerabilities can serve as potential entry points for attack vectors, posing a significant risk to the overall security of the system.

Conclusion

ARMO’s research on public images proves without a doubt that using them is not risk-free. They introduce vulnerabilities into the software that uses them. That being said, some of the vulnerabilities introduced are not relevant and fixing them can be deprioritized. Thus, avoiding debilitating teams with “CVE Shock”.

To learn more about how to approach this and how ARMO implemented relevancy whilst leveraging eBPF you can read more on this blog post. For implementation and full technical coverage please visit our documentation hub

If you’d like to try out Relevancy yourself, it is now generally available to all ARMO Platform users. Not an ARMO Platform user yet? Sign-up, it’s free.

Actionable, contextual, end-to-end <br/> {<mark>Kubernetes-native security</mark>}

From code to cluster, helm to node, we’ve got your Kubernetes covered:

Cut the CVE noise by significantly reducing CVE-related work by over 90%

Automatic Kubernetes compliance for CIS, NSA, Mitre, SOC2, PCI, and more

Manage Kubernetes role-based-access control (RBAC) visually

slack_logos

Continue to Slack

Get the information you need directly from our experts!

new-messageContinue as a guest