{"id":1031,"date":"2020-06-17T15:06:09","date_gmt":"2020-06-17T13:06:09","guid":{"rendered":"https:\/\/blog.tiraquelibras.com\/?p=1031"},"modified":"2020-06-17T15:06:11","modified_gmt":"2020-06-17T13:06:11","slug":"auditar-vulnerabilidades-en-imagenes-docker","status":"publish","type":"post","link":"https:\/\/blog.tiraquelibras.com\/?p=1031","title":{"rendered":"Auditar vulnerabilidades en im\u00e1genes Docker"},"content":{"rendered":"\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Tabla de contenidos<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a0313bea54d3\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a0313bea54d3\"  aria-label=\"Alternar\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1031\/#Intro\"  rel=\"nofollow\" target=\"_blank\">Intro<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1031\/#Entorno_de_prueba\"  rel=\"nofollow\" target=\"_blank\">Entorno de prueba<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1031\/#Analisis\"  rel=\"nofollow\" target=\"_blank\">An\u00e1lisis<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1031\/#Imagen_recien_descargada\"  rel=\"nofollow\" target=\"_blank\">Imagen reci\u00e9n descargada<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1031\/#Imagen_actualizada\"  rel=\"nofollow\" target=\"_blank\">Imagen actualizada<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1031\/#Interpretar_el_resultado\"  rel=\"nofollow\" target=\"_blank\">Interpretar el resultado<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1031\/#Opciones_del_programa\"  rel=\"nofollow\" target=\"_blank\">Opciones del programa<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1031\/#Conclusion\"  rel=\"nofollow\" target=\"_blank\">Conclusi\u00f3n<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1031\/#Herramientas_similares\"  rel=\"nofollow\" target=\"_blank\">Herramientas similares<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10 external external_icon\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1031\/#Enlaces_de_interes\"  rel=\"nofollow\" target=\"_blank\">Enlaces de inter\u00e9s<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Intro\"><\/span>Intro<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Los microservicios ofrecidos desde la plataforma <strong>Docker<\/strong> tambi\u00e9n se encuentran expuestas a vulnerabilidades que pueden ser explotadas como si de un servidor se tratara. A fin de cuentas, se trata de un sistema operativo con una conectividad propia o compartida y con la posibilidad de tener alg\u00fan puerto expuesto por el que poder acceder.<\/p>\n\n\n\n<p>No es mala pr\u00e1ctica mantener nuestras im\u00e1genes auditadas, a partir de las cuales levantaremos los <em>Contenedores<\/em>. Para ello usaremos una sencilla herramienta llamada <strong><a href=\"https:\/\/github.com\/aquasecurity\/trivy\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">Trivy<\/a><\/strong>, que puede ser instalada en el sistema o a partir de su propio contenedor de Docker. En esta entrada usaremos la segunda opci\u00f3n, ya que al utilizar el contenedor no ser\u00e1 necesario realizar instalaci\u00f3n alguna, siendo mucho m\u00e1s c\u00f3moda su explicaci\u00f3n.<\/p>\n\n\n\n<p>Esta herramienta no soporta arquitectura <strong>ARM<\/strong>, por lo que no se podr\u00e1 utilizar desde un dispositivo como <em>RapsberryPi<\/em>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Entorno_de_prueba\"><\/span>Entorno de prueba<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Vamos a utilizar un servidor <em>Debian<\/em> en el que tendremos instalador el software <em>Docker<\/em>.<br>Tambi\u00e9n usaremos la imagen oficial de <em>Ubuntu<\/em>, la cual instalaremos con el siguiente comando:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ docker pull ubuntu:latest<\/code><\/pre>\n\n\n\n<p>La imagen quedar\u00eda descargada:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ docker images\n\nREPOSITORY                 TAG                 IMAGE ID            CREATED             SIZE\nubuntu              latest              1d622ef86b13        7 weeks ago         73.9MB<\/code><\/pre>\n\n\n\n<p>Antes de realizar el an\u00e1lisis, vamos a crear un directorio <em>cach\u00e9<\/em> en el que descargar toda la informaci\u00f3n que el programa utilizar\u00e1 durante el escaneo, y el cual indicaremos en cada comando a ejecutar:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">mkdir \/root\/Trivy-Docker<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Analisis\"><\/span>An\u00e1lisis<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Vamos a realizar un an\u00e1lisis usando el servicio Docker de nuestro host anfitri\u00f3n para realizar el esc\u00e1ner de vulnerabilidades.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Imagen_recien_descargada\"><\/span>Imagen reci\u00e9n descargada<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p> Analizaremos la imagen reci\u00e9n descargada <em>ubuntu:latest<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ docker run --rm -v \/var\/run\/docker.sock:\/var\/run\/docker.sock -v \/root\/Trivy-Docker\/:\/root\/.cache\/ aquasec\/trivy ubuntu:latest\n\n2020-06-16T19:51:03.846Z        WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed\n2020-06-16T19:51:03.849Z        INFO    Need to update DB\n2020-06-16T19:51:03.849Z        INFO    Downloading DB...\n50.58 KiB \/ 16.60 MiB [>_____________________________________________________________] 0.30% ? p\/s ?288.58 KiB \/ 16.60 MiB [->___________________________________________________________] 1.                                                70% ? p\/s ?1.18 MiB \/ 16.60 MiB [---->__________________________________________________________] 7.10% ? p\/s ?3.09 MiB \/ 16.60 MiB [--------->________________________________________] 18.6                                                4% 5.07 MiB p\/s ETA 2s5.91 MiB \/ 16.60 MiB [----------------->________________________________] 35.60% 5.07 MiB p\/s ETA 2s9.87 MiB \/ 16.60 MiB [----------------------------->_______________                                                _____] 59.44% 5.07 MiB p\/s ETA 1s13.96 MiB \/ 16.60 MiB [----------------------------------------->_______] 84.11% 5.91 MiB p\/s ETA 0s16.60 MiB \/ 16.60 MiB [---------------------------------                                                ------------------] 100.00% 12.43 MiB p\/s 2s2020-06-16T19:51:09.567Z    INFO    Detecting Ubuntu vulnerabilities...\n\nubuntu:latest (ubuntu 20.04)\n============================\nTotal: 26 (UNKNOWN: 0, LOW: 18, MEDIUM: 7, HIGH: 1, CRITICAL: 0)\n\n+---------------+------------------+----------+-------------------+-------------------+--------------------------------+\n|    LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION   |             TITLE              |\n+---------------+------------------+----------+-------------------+-------------------+--------------------------------+\n| apt           | CVE-2020-3810    | MEDIUM   | 2.0.2             | 2.0.2ubuntu0.1    | Missing input validation in    |\n|               |                  |          |                   |                   | the ar\/tar implementations of  |\n|               |                  |          |                   |                   | APT before version 2.1.2...    |\n+---------------+------------------+----------+-------------------+-------------------+--------------------------------+\n| bash          | CVE-2019-18276   | LOW      | 5.0-6ubuntu1      |                   | bash: when effective UID is    |\n|               |                  |          |                   |                   | not equal to its real UID      |\n|               |                  |          |                   |                   | the...                         |\n+---------------+------------------+          +-------------------+-------------------+--------------------------------+\n| coreutils     | CVE-2016-2781    |          | 8.30-3ubuntu2     |                   | coreutils: Non-privileged      |\n|               |                  |          |                   |                   | session can escape to the      |\n|               |                  |          |                   |                   | parent session in chroot       |\n+---------------+------------------+          +-------------------+-------------------+--------------------------------+\n| dpkg          | CVE-2017-8283    |          | 1.19.7ubuntu3     |                   | dpkg-source in dpkg 1.3.0      |\n|               |                  |          |                   |                   | through 1.18.23 is able to use |\n|               |                  |          |                   |                   | a non-GNU...                   |\n+---------------+------------------+          +-------------------+-------------------+--------------------------------+\n...<\/code><\/pre>\n\n\n\n<p>Acortamos el resultado ya que es muy largo. Vemos que se han identificado 26 vulnerabilidades, distribuidas en criticidad <em>Low<\/em>, <em>Medium<\/em> y <em>High<\/em>. Esto quiere decir, que si levantamos un Contenedor a partir de esta imagen y no lo actualizamos tendr\u00e1 vulnerabilidades desde el primer momento.<\/p>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Imagen_actualizada\"><\/span>Imagen actualizada<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Para evitar tener la imagen en este estado vamos a levantar un Contenedor a partir de esta, lo actualizaremos y crearemos una imagen a partir de este, la cual auditaremos en busca de vulnerabilidades.<\/p>\n\n\n\n<p>Levantamos el contenedor:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ docker container run -itd ubuntu:latest\n\n56c87dfe8a46976d8e1fdf0a4ec83f9589973e620c121fc9262969d553747b52\nroot@h2847530:~# docker ps\nCONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES\n56c87dfe8a46        ubuntu:latest       \"\/bin\/bash\"         3 seconds ago       Up 1 second                             vibrant_allen<\/code><\/pre>\n\n\n\n<p>Accedemos a este, lo actualizamos y salimos:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ docker container exec -it 56c87dfe8a46 bash\n\nroot@56c87dfe8a46:\/$\nroot@56c87dfe8a46:\/$apt update\n...\nroot@56c87dfe8a46:\/$apt-get dist-upgrade\n...\nroot@56c87dfe8a46:\/$exit<\/code><\/pre>\n\n\n\n<p>Creamos una imagen a partir de este contenedor actualizado, la cual llamaremos <em>ubuntu-updated<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">docker commit 56c87dfe8a46 ubuntu-updated<\/code><\/pre>\n\n\n\n<p>La imagen estar\u00eda creada:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ docker images\nREPOSITORY          TAG                 IMAGE ID            CREATED             SIZE\nubuntu-updated      latest              e37a75457fe4        24 hours ago        103MB\nubuntu              latest              1d622ef86b13        7 weeks ago         73.9MB<\/code><\/pre>\n\n\n\n<p>Escaneamos la nueva imagen en busca de vulnerabilidades:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ docker run --rm  -v \/var\/run\/docker.sock:\/var\/run\/docker.sock   -v \/root\/Trivy-Docker\/:\/root\/.cache\/ aquasec\/trivy  ubuntu-updated\n\n2020-06-16T20:02:45.595Z        WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed\n2020-06-16T20:02:47.520Z        INFO    Detecting Ubuntu vulnerabilities...\n\nubuntu-updated (ubuntu 20.04)\n=============================\nTotal: 23 (UNKNOWN: 0, LOW: 18, MEDIUM: 5, HIGH: 0, CRITICAL: 0)\n\n+-------------+------------------+----------+-------------------+---------------+--------------------------------+\n|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |\n+-------------+------------------+----------+-------------------+---------------+--------------------------------+\n| bash        | CVE-2019-18276   | LOW      | 5.0-6ubuntu1      |               | bash: when effective UID is    |\n|             |                  |          |                   |               | not equal to its real UID      |\n|             |                  |          |                   |               | the...                         |\n+-------------+------------------+          +-------------------+---------------+--------------------------------+\n| coreutils   | CVE-2016-2781    |          | 8.30-3ubuntu2     |               | coreutils: Non-privileged      |\n|             |                  |          |                   |               | session can escape to the      |\n|             |                  |          |                   |               | parent session in chroot       |\n+-------------+------------------+          +-------------------+---------------+--------------------------------+\n| dpkg        | CVE-2017-8283    |          | 1.19.7ubuntu3     |               | dpkg-source in dpkg 1.3.0      |\n|             |                  |          |                   |               | through 1.18.23 is able to use |\n|             |                  |          |                   |               | a non-GNU...                   |\n+-------------+------------------+          +-------------------+---------------+--------------------------------+\n| gpgv        | CVE-2019-13050   |          | 2.2.19-3ubuntu2   |               | GnuPG: interaction between the |\n|             |                  |          |                   |               | sks-keyserver code and GnuPG   |\n|             |                  |          |                   |               | allows for a Certificate...    |\n+-------------+------------------+          +-------------------+---------------+--------------------------------+\n...<\/code><\/pre>\n\n\n\n<p>Recortamos el resultado final, ya que es muylargo. Vemos que se han localizado 23 vulnerabilidades, distribuidas en criticidad <em>Low<\/em>, <em>Medium<\/em> y <em>High<\/em>. Esto quiere decir, se han solucionado algunas vulnerabilidades con la actualizaci\u00f3n del Contenedor.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Interpretar_el_resultado\"><\/span>Interpretar el resultado<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Como hemos visto, se muestran demasiados resultados, muchos de ellos son motivados por:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Vulnerabilidades muy antiguas y que no han sido solucionadas, posiblemente por no suponer un problema serio de seguridad.<\/li><li>Problemas de seguridad reportados pero que a\u00fan no tienen un candidato en el que se soluciona.<\/li><\/ul>\n\n\n\n<p>En ambos casos, si analizamos los resultados obtenidos observamos que la columna <em>Fixed version<\/em> se encuentra vac\u00eda en la imagen actualizada <em>ubuntu-updated<\/em>, indicando que no hay candidato para solucionar la vulnerabilidad. Por lo tanto, es en los casos en los que aparece una versi\u00f3n m\u00e1s actual en los que debemos poner la mayor atenci\u00f3n.<\/p>\n\n\n\n<p>Para interpretar los datos que realmente podamos solucionar tenemos una opci\u00f3n a utilizar al ejecutar el esc\u00e1ner, la cual veremos en la siguiente secci\u00f3n.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Opciones_del_programa\"><\/span>Opciones del programa<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Para obtener una informaci\u00f3n m\u00e1s reducida, f\u00e1cil de interpretar y manejar, podemos usar las siguientes opciones:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>&#8211;light<\/strong>: con esta opci\u00f3n eliminamos los detalles de cada vulnerabilidad:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ docker run --rm  -v \/var\/run\/docker.sock:\/var\/run\/docker.sock -v \/root\/Trivy-Docker\/:\/root\/.cache\/ aquasec\/trivy  --light  ubuntu-updated\n\n2020-06-16T21:34:52.737Z        WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed\n2020-06-16T21:34:52.739Z        INFO    Need to update DB\n2020-06-16T21:34:52.739Z        INFO    Downloading DB...\n50.57 KiB \/ 4.40 MiB [>______________________________________________________________] 1.12% ? p\/s ?254.57 KiB \/ 4.40 MiB [--->__________________________________________________________] 5.65% ? p\/s ?866.57 KiB \/ 4.40 MiB [----------->_________________________________________________] 19.24% ? p\/s ?2.19 MiB \/ 4.40 MiB [------------------------->_________________________] 49.84% 3.57 MiB p\/s ETA 0s4.40 MiB \/ 4.40 MiB [------------------------------------------------->] 100.00% 3.57 MiB p\/s ETA 0s4.40 MiB \/ 4.40 MiB [------------------------------------------------------] 100.00% 4.79 MiB p\/s 1s2020-06-16T21:34:55.044Z  INFO    Detecting Ubuntu vulnerabilities...\n\nubuntu-updated (ubuntu 20.04)\n=============================\nTotal: 23 (UNKNOWN: 0, LOW: 18, MEDIUM: 5, HIGH: 0, CRITICAL: 0)\n\n+-------------+------------------+----------+-------------------+---------------+\n|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |\n+-------------+------------------+----------+-------------------+---------------+\n| bash        | CVE-2019-18276   | LOW      | 5.0-6ubuntu1      |               |\n+-------------+------------------+          +-------------------+---------------+\n| coreutils   | CVE-2016-2781    |          | 8.30-3ubuntu2     |               |\n+-------------+------------------+          +-------------------+---------------+\n| dpkg        | CVE-2017-8283    |          | 1.19.7ubuntu3     |               |\n+-------------+------------------+          +-------------------+---------------+\n| gpgv        | CVE-2019-13050   |          | 2.2.19-3ubuntu2   |               |\n+-------------+------------------+          +-------------------+---------------+\n| libc-bin    | CVE-2016-10228   |          | 2.31-0ubuntu9     |               |\n+             +------------------+          +                   +---------------+\n|             | CVE-2020-6096    |          |                   |               |\n...<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>&#8211;ignore-fixed<\/strong>: con esta opci\u00f3n no se mostrar\u00edan las vulnerabilidades sin una versi\u00f3n que la solucione. Por ejemplo:<\/li><\/ul>\n\n\n\n<p>Nuestra imagen de <em>ubuntu:latest<\/em> descargada, con varias vulnerabilidades detectadas:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ docker run --rm  -v \/var\/run\/docker.sock:\/var\/run\/docker.sock   -v \/root\/Trivy-Docker\/:\/root\/.cache\/ aquasec\/trivy  --light --ignore-unfixed ubuntu:latest\n\n\t2020-06-16T21:56:55.948Z        WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed\n\t2020-06-16T21:56:55.966Z        INFO    Detecting Ubuntu vulnerabilities...\n\t\n\tubuntu (ubuntu 20.04)\n\t=====================\n\tTotal: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)\n\t\n\t+---------------+------------------+----------+-------------------+-------------------+\n\t|    LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION   |\n\t+---------------+------------------+----------+-------------------+-------------------+\n\t| apt           | CVE-2020-3810    | MEDIUM   | 2.0.2             | 2.0.2ubuntu0.1    |\n\t+---------------+                  +          +                   +                   +\n\t| libapt-pkg6.0 |                  |          |                   |                   |\n\t+---------------+------------------+----------+-------------------+-------------------+\n\t| libgnutls30   | CVE-2020-13777   | HIGH     | 3.6.13-2ubuntu1   | 3.6.13-2ubuntu1.1 |\n\t+---------------+------------------+----------+-------------------+-------------------+<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<p>Nuestra imagen <em>ubuntu-updated<\/em> actualizada, y sin vulnerabilidades pendiente de aplicar:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">$ docker run --rm  -v \/var\/run\/docker.sock:\/var\/run\/docker.sock   -v \/root\/Trivy-Docker\/:\/root\/.cache\/ aquasec\/trivy  --light --ignore-unfixed ubuntu-updated\n\n\t2020-06-16T21:58:19.088Z        WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed\n\t2020-06-16T21:58:19.110Z        INFO    Detecting Ubuntu vulnerabilities...\n\t\n\tubuntu-updated (ubuntu 20.04)\n\t=============================\n\tTotal: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusi\u00f3n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Como hemos visto, actualizar nuestros Contenedores es una tarea que deber\u00eda de estar incluida en cualquier programaic\u00f3n de tareas de seguridad, como si de un servidor convencional se tratara, sobre todo si exponemos alguno de sus puertos a trav\u00e9s del <em>Docker Host<\/em> en alguna de sus interfaces p\u00fablicas.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Herramientas_similares\"><\/span>Herramientas similares<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Otras herramientas similares, pero m\u00e1s complejas de utilizar, ser\u00edan:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Anchore Engine, con una versi\u00f3n en Docker disponible: https:\/\/github.com\/anchore\/anchore-engine<\/li><li>Claire + Klar, desplegadas en tecnolog\u00edas Docker: https:\/\/github.com\/quay\/clair y https:\/\/github.com\/optiopay\/klar<\/li><\/ul>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Enlaces_de_interes\"><\/span>Enlaces de inter\u00e9s<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>P\u00e1gina oficial del proyecto <a href=\"https:\/\/github.com\/aquasecurity\/trivy\" class=\"external external_icon\" rel=\"nofollow\" target=\"_blank\">Trivy<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Intro Los microservicios ofrecidos desde la plataforma Docker tambi\u00e9n se encuentran expuestas a vulnerabilidades que pueden ser explotadas como si de un servidor se tratara.<span class=\"read-more-link\"><a class=\"read-more\" href=\"https:\/\/blog.tiraquelibras.com\/?p=1031\">Read More<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":1032,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,10,22],"tags":[112,111,113],"class_list":["post-1031","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ciberseguridad","category-sistemas","category-ti","tag-cvs","tag-update","tag-vulnerabilidad"],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts\/1031","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1031"}],"version-history":[{"count":0,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/posts\/1031\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=\/wp\/v2\/media\/1032"}],"wp:attachment":[{"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1031"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1031"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tiraquelibras.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1031"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}