I now have dockhand running with various agents across various docker hosts, (can even now point it to your own stacks folder by specifying it in the docker yaml file) and the latest updates have made it really stable, but ……..
The built in scanner has bought home to me how many vulnerabilites there are in so many containers. I understsand most of these are “internal” but would we accept these in say VM’s or bare metal systems?
For example latest nginx proxy manager has the vulnerabilities below, is it a question now of having to go through every CVE making sure it cannot be exploited through the ports that you have exposed to your internal network, and specifically for npm, port 443/80 if externally exposed
Essentially accepting these vulnerabilities existing in your network is no different from treating your “contained” docker network like a psuedo DMZ, yuk
always felt uneasy about docker containers, somehow they have bene allowed to fly under the radar. I sent a private message to a maintianer of another container I use, thnaking him for the work but pointing out the CVE’s, his reply was ……
”check the attack surface of each CVE (over 50 of them) and decide yourself if they fit into your threat model. Keep in mind, xxxxxx is provided as is without any warranty.”
I think i agree with him ….. the only sensible option is too view your internal docker networks as DMZ zones, and use your containers with this in mind in relation to the rest of your networks and within the docker networks themselves, but above all seriously reassess your use of the containers if any “open” ports to the docker contiainer is also exposed in your firewall to the internet after reveiwing each CVE *making sure each CVE cannot be exploited on that port
Insurance companies will have a problem with this, and now you know about it and it must be handled. Thankfully most insurance company inspectors are not IT people, so they will not do a sweep to find out where the liability might be.
