Inquiry Regarding Container Image Vulnerabilities and Best Practices

Question

Inquiry Regarding Container Image Vulnerabilities and Best Practices

Anonymous

We are currently in the process of developing a container utilizing the latest version of "mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019". We have also experimented with specific versions such as "mcr.microsoft.com/dotnet/framework/aspnet:4.8-20230711-windowsservercore-ltsc2019" and "mcr.microsoft.com/windows/servercore/iis:windowsservercore-ltsc2022" from 2022. Through the use of the "Container registry images should have vulnerability findings resolved (powered by Qualys)" tool, we have conducted vulnerability scans on these images and have encountered a number of vulnerabilities.

Our challenge arises from a client's policy that restricts the use of images with a certain level of vulnerabilities. Despite utilizing the latest Microsoft images and integrating our own developed application, our client has expressed concerns about the detected vulnerabilities and their potential impact on security.

We understand that Microsoft continuously updates and improves its images to address security vulnerabilities. However, as we integrate our application with the latest Microsoft images, we are left wondering about the appropriate steps to take in addressing these vulnerabilities. Shouldn't the latest Microsoft images already encompass the necessary security fixes? What guidance can we provide to our client in light of these concerns?

Our application is a simple data processing tool that includes a web API developed by our team. Access to this API is exclusively secured through HTTPS, and authentication to the API is facilitated through a token generated by Azure AD app registration.

We appreciate your time and expertise in this matter. Your guidance on how to effectively manage and address vulnerabilities within our container images, as well as how to best communicate with our client, would be highly valuable to us.

Thank you for your attention, and we look forward to your response.

Best regards,
Roberto
User's image

Limitless Technology 44,751 Reputation points

2023-08-08T15:32:14.5433333+00:00
Hello there,

Effectively managing and addressing vulnerabilities within container images is crucial for maintaining the security and integrity of your software. Communication with clients about these vulnerabilities is equally important to establish trust and transparency. Here's a comprehensive approach:

Vulnerability Management:

a. Image Scanning and Analysis:

Use container image scanning tools to identify vulnerabilities in your images. Tools like Trivy, Clair, and Anchore can help detect vulnerabilities in your images' packages and libraries.

b. Continuous Integration/Continuous Deployment (CI/CD) Pipeline:

Integrate vulnerability scanning into your CI/CD pipeline. Scan images before they are deployed, ensuring vulnerabilities are detected early in the development process.

c. Automated Patching:

Set up automated workflows to patch vulnerable images promptly. Regularly update your base images and dependencies to include the latest security patches.

d. Image Versioning:

Tag your container images with version numbers to maintain a clear record of which images have been patched and are free from vulnerabilities.

e. CVE Alerts and Monitoring:

Subscribe to security mailing lists or services that provide notifications about Common Vulnerabilities and Exposures (CVEs) relevant to your container images.

f. Reduce Attack Surface:

Minimize the components and libraries in your images. Remove unnecessary packages to reduce the potential attack surface.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer--
Anonymous

2023-08-09T13:11:13.55+00:00

Thank you very much for your response.
Prior to posting our question here, we also utilized Google Search, ChatGPT AI, and Skype Bing AI in our search for a solution, but unfortunately, we couldn't find anything that could assist us.
We had already analyzed the tools you provided, but our container is based on Windows Container 2019, not Linux, and those tools are designed for Linux containers. On another note, we are already using the tool available on Azure for Windows.
Our question is primarily about how to address the vulnerabilities that have been detected, rather than detecting them. When the pod is running, calling 'systeminfo' reveals that it's a "Microsoft Windows Server 2019 Datacenter." We couldn't find any patches for "Microsoft Windows Server 2019 Datacenter" in the vulnerability list. I speculate that since we use the new base container provided by Microsoft with a monthly average, the patches might already be applied. However, this is just my assumption, and I would appreciate getting clarity on this matter.

1 answer

Your answer

Limitless Technology 44,751 Reputation points

2023-08-08T15:32:14.5433333+00:00

Hello there,

Effectively managing and addressing vulnerabilities within container images is crucial for maintaining the security and integrity of your software. Communication with clients about these vulnerabilities is equally important to establish trust and transparency. Here's a comprehensive approach:

Vulnerability Management:

a. Image Scanning and Analysis:

Use container image scanning tools to identify vulnerabilities in your images. Tools like Trivy, Clair, and Anchore can help detect vulnerabilities in your images' packages and libraries.

b. Continuous Integration/Continuous Deployment (CI/CD) Pipeline:

Integrate vulnerability scanning into your CI/CD pipeline. Scan images before they are deployed, ensuring vulnerabilities are detected early in the development process.

c. Automated Patching:

Set up automated workflows to patch vulnerable images promptly. Regularly update your base images and dependencies to include the latest security patches.

d. Image Versioning:

Tag your container images with version numbers to maintain a clear record of which images have been patched and are free from vulnerabilities.

e. CVE Alerts and Monitoring:

Subscribe to security mailing lists or services that provide notifications about Common Vulnerabilities and Exposures (CVEs) relevant to your container images.

f. Reduce Attack Surface:

Minimize the components and libraries in your images. Remove unnecessary packages to reduce the potential attack surface.

I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer--
Anonymous

2023-08-09T13:11:13.55+00:00

Thank you very much for your response.
Prior to posting our question here, we also utilized Google Search, ChatGPT AI, and Skype Bing AI in our search for a solution, but unfortunately, we couldn't find anything that could assist us.
We had already analyzed the tools you provided, but our container is based on Windows Container 2019, not Linux, and those tools are designed for Linux containers. On another note, we are already using the tool available on Azure for Windows.
Our question is primarily about how to address the vulnerabilities that have been detected, rather than detecting them. When the pod is running, calling 'systeminfo' reveals that it's a "Microsoft Windows Server 2019 Datacenter." We couldn't find any patches for "Microsoft Windows Server 2019 Datacenter" in the vulnerability list. I speculate that since we use the new base container provided by Microsoft with a monthly average, the patches might already be applied. However, this is just my assumption, and I would appreciate getting clarity on this matter.

Answer 1

Anonymous

Thank you very much for your response, Limitless Technology

Before posting the question here, we spent several days searching for a solution on Google. We also asked questions to both ChatGPT AI and Bing AI, but unfortunately, we did not find any answers to our problem.

We were already familiar with the tools you mentioned, and they seem to be more focused on scanning images, particularly for Linux rather than Windows containers. However, our concern is not just about image scanning but rather about who and how the vulnerability is resolved, especially when we are basing our container on a container provided by Microsoft.

We meticulously reviewed vulnerability by vulnerability, and it appears that there is no specific "Remediation" applied to "Windows Server 2019 Datacenter," which is the targeted system for the said container.

At this point, our assumption is that by using the latest version of Microsoft's container each month, the available patches for "Windows Server 2019 Datacenter" might have already been applied, although this remains speculative as no patches for it are currently evident.

Carlos Villagomez 1,106 Reputation points Microsoft Employee Moderator

2023-08-25T22:01:45.47+00:00

Hello @Anonymous

If an answer has been helpful, please consider [accepting the answer] to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Hope above answers your question.

Thanks!

Carlos V.
Carlos Villagomez 1,106 Reputation points Microsoft Employee Moderator

2023-08-28T15:52:31.2566667+00:00

Hello @Roberto Alonso

I am following up once again to see if you the previous response resolved your issue or if you require any additional assistance? Please let us know and we'll be happy to assist you further.

Thanks!

Carlos V.
Carlos Villagomez 1,106 Reputation points Microsoft Employee Moderator

2023-08-29T17:08:02.0366667+00:00

Hello @Anonymous

Since we have not heard back from you yet, we will go ahead and proceed with closing this thread. If you do need assistance, please don't hesitate to contact us or leave a comment in response and we will be happy to assist you further if needed.

Thanks!

Carlos V.

Share via

Inquiry Regarding Container Image Vulnerabilities and Best Practices

1 answer

Your answer