Logo
Just like an abandoned house soon becomes dilapidated with no one around to keep it in good repair, so too do forgotten containers get quickly riddled with security vulnerabilities that attackers can use to break into.
In a recent study, security company Chainguard found that software that is no longer supported by its creators will continue to be probed malicious hackers, who still look for vulnerabilities in the software marked as End of Life (EOL).
“Based on data for nearly 40 popular software projects, EOL software accumulates — on average — 218 CVEs every six months,” wrote Chainguard research intern Trevor Dunlap, in an about-to-be-posted blog item entitled “End-of-life software means 400+ CVEs per year.”
While this conclusion may seem super obvious, all too many organizations still suffer from keeping EOL containerized apps in production.
Last year, as TechCrunch reported, servers of a U.S. federal agency were broken into by exploiting vulnerabilities in Adobe ColdFusion software from the last millennium that the agency was, remarkably, still using to run its website.
EOL software is software that is no longer supported by the creator of the application, either because it is an older version of the software that is no longer maintained, or because the entities that maintained the software are no longer around at all.
In either case, vulnerabilities can still be found in these applications, and since they are no longer patched, they soon become a focus for actors with malicious intent.
“And the problem becomes aggravated when using container images,” Dunlap writes. “Using a container often means adding additional components from underlying ‘base images,’ which can easily lead to images with hundreds of components, each a part of the attack surface.”
The problem only grows worse over time for users, as without regular updates, applications get harder and harder to update to the latest version over time.
Vulnerabilities are reported every six months, per EOL date (Chainguard).
Vulnerabilities Are Not Just in the Application Itself
Looking at software projects listed on endoflife.date, Dunlap found that the longer a project has been EOL, the more vulnerabilities that image will collect. This inspection included images for Traefik, F5’s NGINX, Rust, and Python.
Grype was used to scan each release for vulnerabilities.
Vulnerabilities could be found in three locations: in the base images, the application dependencies, or within the application itself.
An image six months out of date can accumulate 218 vulnerabilities, Dunlap had found. Bundling an app within a container image makes this worse. Specifically, 98.4% of the vulnerabilities are found within image components, and only 1.4% are in the application dependencies, and only 0.2% of vulnerabilities are within the application itself.
Dunlap highlighted the 2.9 version of the Traefik as a random example. This particular version of the cloud native proxy was EOL’ed in April 2023, with the final version, v2.9.10, released earlier that month.
In the year since, 55 vulnerabilities were reported: Four were within the Traefik application itself (i.e. CVE-2023-47633), 31 were since found its dependencies (CVE-2023-28840 for Docker Swarm), and another 20 related to the Docker image components (CVE-2023-5363 for Alpine).
Not exactly an uninterested party in this dire pattern of negligence, Chainguard itself offers its own images for a lot of open source software packages that are rigorously updated with security fixes and bugs.
Nonetheless, “EOL software represents a significant security risk,” Dunlap concluded. “You’re SOL if you’re running EOL container images.”
The post Chainguard: Outdated Containers Accumulate Vulnerabilities appeared first on The New Stack.
Bad news for those who don't upgrade: Hackers keep finding vulnerabilities in software even after the application is no longer supported, Chainguard has found.