Common Security Threats
Host System-Level Threats
The security of a container is inextricably linked to the security of the host on which it runs. Because containers share the host's OS Kernel, any vulnerability at the host level creates a single point of failure. If the host system is compromised, every container running on that host may also be at risk. Below are some examples.
Unpatched Kernel Vulnerabilities
Since containers make direct syscalls to the host kernel, a kernel-level exploit can allow an attacker to "break out" of the container.
As an example, Dirty COW (CVE-2016-5195) - a famous race condition vulnerability in the Linux kernel - allowed a local user (even one inside a container) to gain root access to the host by exploiting a flaw in how the kernel handled copy-on-write (COW).
Vulnerable Host Binaries and Services
The host runs several background services (SSH, NTP, logging, etc.) and libraries that, if outdated, provide entry points for attackers. Two known examples include:
- Heartbleed (OpenSSL): If the host's OpenSSL library is vulnerable, an attacker can leak memory contents from the host, potentially exposing the private keys used for your container registry or Docker Swarm/Kubernetes secrets.
- Shellshock / Bashdoor:
Painless Docker - 2nd Edition
A Comprehensive Guide to Mastering Docker and its EcosystemEnroll now to unlock all content and receive all future updates for free.
Hurry! This limited time offer ends in:
To redeem this offer, copy the coupon code below and apply it at checkout: