Docker commands always make use of the latest version of their image

docker

Classification:

compliance

Framework:

cis-docker

Control:

5.27

Set up the docker integration.

Description

You should always ensure that you are using the latest version of the images within your repository and not cached older versions.

Rationale

Multiple Docker commands such as docker pull, docker run etc. are known to have an issue where by default, they extract the local copy of the image, if present, even though there is an updated version of the image with the same tag in the upstream repository. This could lead to using older images containing known vulnerabilites.

Audit

  1. Open your image repository and list the image version history for the image you are inspecting.
  2. Observe the status when the docker pull command is triggered. If the status is shown as Image is up to date, it means that you are getting the cached version of the image.
  3. Match the version of the image you are running to the latest version reported in your repository and this will tell you whether you are running the cached version or the latest copy.

Remediation

You should use proper version pinning mechanisms (the “latest” tag which is assigned by default is still vulnerable to caching attacks) to avoid extracting cached older versions. Version pinning mechanisms should be used for base images, packages, and entire images. You can customize version pinning rules according to your requirements.

Impact

None

Default value

By default, Docker commands extract the local copy unless version pinning mechanisms are used or the local cache is cleared.

References

  1. https://github.com/docker/docker/pull/16609

CIS controls

Version 6

18.1 Use Only Vendor-supported Software - For all acquired application software, check that the version you are using is still supported by the vendor. If not, update to the most current version and install all relevant patches and vendor security recommendations.

Version 7

18.3 Verify That Acquired Software is Still Supported - Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations.