Whispers of XZ Utils Backdoor Live on in Old Docker Images
Developers maintaining the images made the "intentional choice" to leave the artifacts available as "a historical curiosity," given the improbability they'd be exploited.
Explore the latest Docker security news, updates, and best practices to safeguard your containers and applications with our information security insights.
Search across headline titles and summaries.
Background for this topic.
Docker is a platform for building, distributing, and running applications as containers. An image packages application code and dependencies; Docker Engine starts it as an isolated process that shares the host’s operating-system kernel, rather than as a full virtual machine. The Docker API and image registries connect local or automated build and deployment workflows.
Security depends on both the daemon and the images it runs. Access to the Docker daemon or its socket can provide extensive control of the host, so the API should not be unnecessarily exposed and socket mounts should be tightly restricted. Privileged containers, excessive Linux capabilities, and broad host filesystem mounts weaken isolation. Image vulnerabilities or malicious dependencies can enter through the build and distribution chain; use trusted, minimal bases, pinned dependencies, vulnerability scanning, provenance controls, and regular rebuilds. Do not place secrets in image layers. Rootless mode and restrictive security profiles can reduce the consequences of a compromised container.
Developers maintaining the images made the "intentional choice" to leave the artifacts available as "a historical curiosity," given the improbability they'd be exploited.
The XZ-Utils backdoor, first discovered in March 2024, is still present in at least 35 Linux images on Docker Hub, potentially putting users, organizations, and their data at risk. [...]
New research has uncovered Docker images on Docker Hub that contain the infamous XZ Utils backdoor, more than a year after the discovery of the incident