docker,

Scan Docker Images for Apache Log4j2 vulnerability

Dec 20, 2021 · 1 min read · Post a comment
Scan Docker Images for Apache Log4j2 vulnerability

Docker Hub already announced public Log4jShell detection which is now live on Docker Official Images. But for those of you who are still using some of the old or custom images, there is a way to scan your Docker Images for Apache Log4j2 vulnerability. Let’s see how can you do it.

Prerequisites

  • Docker

Solution

Step 1. Before using the docker scan tool you should update your docker version to the latest cause versions earlier than v0.11.0 do not detect Log4j 2.

  • To update Docker on Debian based distros, run:
    sudo apt-get update && apt-get install docker-scan-plugin
    
  • To update Docker on RHEL based distros, run:
    sudo yum install docker-scan-plugin
    

Otherwise you can download the docker scan binaries from the official github repo.

Step 2. To verify the docker scan version, run:

sudo docker scan --accept-license --version

Example output:

Version     v0.12.0
Git commit  2085cc0
Provider:   Snyk

If the output has string like ORGAPACHELOGGINGLOG4J probably your code is affected by Apache Log4j2 vulnerability.

Step 3. Now, I’m gonna give you an example how to scan existing Docker images, for instance the hello-world image.

sudo docker scan hello-world

Example output:

Testing hello-world

Organization:     docker-test
Package manager:  linux
Project name:     docker image|hello-world
Licenses:         enabled

Tested 0 dependencies for known issues, no vulnerable paths found.

Step 4. To get a detailed scan report for your custom Docker image use the following syntax:

sudo docker scan --file DOCKERFILE_PATH DOCKER_IMAGE

Conclusion

The most valuable advice is to update the Docker version and keep up to date your images. Feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.